CVSS: 5.3EPSS: 0%CPEs: 4EXPL: 0CVE-2025-23085 – nodejs: GOAWAY HTTP/2 frames cause memory leak outside heap
https://notcve.org/view.php?id=CVE-2025-23085
07 Feb 2025 — A memory leak could occur when a remote peer abruptly closes the socket without sending a GOAWAY notification. Additionally, if an invalid header was detected by nghttp2, causing the connection to be terminated by the peer, the same leak was triggered. This flaw could lead to increased memory consumption and potential denial of service under certain conditions. This vulnerability affects HTTP/2 Server users on Node.js v18.x, v20.x, v22.x and v23.x. A vulnerability was found in NodeJS when handling HTTP/2 co... • https://nodejs.org/en/blog/vulnerability/january-2025-security-releases • CWE-400: Uncontrolled Resource Consumption CWE-401: Missing Release of Memory after Effective Lifetime •
CVSS: 5.6EPSS: 0%CPEs: 4EXPL: 0CVE-2025-23084
https://notcve.org/view.php?id=CVE-2025-23084
28 Jan 2025 — A vulnerability has been identified in Node.js, specifically affecting the handling of drive names in the Windows environment. Certain Node.js functions do not treat drive names as special on Windows. As a result, although Node.js assumes a relative path, it actually refers to the root directory. On Windows, a path that does not start with the file separator is treated as relative to the current directory. This vulnerability affects Windows users of `path.join` API. • https://nodejs.org/en/blog/vulnerability/january-2025-security-releases • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •
CVSS: 7.7EPSS: 0%CPEs: 3EXPL: 0CVE-2025-23083 – nodejs: Node.js Worker Thread Exposure via Diagnostics Channel
https://notcve.org/view.php?id=CVE-2025-23083
22 Jan 2025 — With the aid of the diagnostics_channel utility, an event can be hooked into whenever a worker thread is created. This is not limited only to workers but also exposes internal workers, where an instance of them can be fetched, and its constructor can be grabbed and reinstated for malicious usage. This vulnerability affects Permission Model users (--permission) on Node.js v20, v22, and v23. A flaw was found in the Node.js diagnostics_channel. This vulnerability allows an attacker to reinstate and misuse work... • https://nodejs.org/en/blog/vulnerability/january-2025-security-releases • CWE-284: Improper Access Control CWE-863: Incorrect Authorization •
CVSS: 7.1EPSS: 0%CPEs: 3EXPL: 0CVE-2025-22150 – Undici Uses Insufficiently Random Values
https://notcve.org/view.php?id=CVE-2025-22150
21 Jan 2025 — Undici is an HTTP/1.1 client. Starting in version 4.5.0 and prior to versions 5.28.5, 6.21.1, and 7.2.3, undici uses `Math.random()` to choose the boundary for a multipart/form-data request. It is known that the output of `Math.random()` can be predicted if several of its generated values are known. If there is a mechanism in an app that sends multipart requests to an attacker-controlled website, they can use this to leak the necessary values. Therefore, an attacker can tamper with the requests going to the... • https://blog.securityevaluators.com/hacking-the-javascript-lottery-80cc437e3b7f • CWE-330: Use of Insufficiently Random Values •
CVSS: 5.9EPSS: 0%CPEs: 2EXPL: 0CVE-2024-37372
https://notcve.org/view.php?id=CVE-2024-37372
09 Jan 2025 — The Permission Model assumes that any path starting with two backslashes \ has a four-character prefix that can be ignored, which is not always true. This subtle bug leads to vulnerable edge cases. • http://www.openwall.com/lists/oss-security/2024/07/11/6 • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •
CVSS: 4.8EPSS: 0%CPEs: 3EXPL: 0CVE-2024-48948
https://notcve.org/view.php?id=CVE-2024-48948
15 Oct 2024 — The Elliptic package 6.5.7 for Node.js, in its for ECDSA implementation, does not correctly verify valid signatures if the hash contains at least four leading 0 bytes and when the order of the elliptic curve's base point is smaller than the hash, because of an _truncateToN anomaly. This leads to valid signatures being rejected. Legitimate transactions or communications may be incorrectly flagged as invalid. • https://github.com/indutny/elliptic/issues/321 • CWE-347: Improper Verification of Cryptographic Signature •
CVSS: 8.1EPSS: 0%CPEs: 3EXPL: 0CVE-2024-36138
https://notcve.org/view.php?id=CVE-2024-36138
07 Sep 2024 — Bypass incomplete fix of CVE-2024-27980, that arises from improper handling of batch files with all possible extensions on Windows via child_process.spawn / child_process.spawnSync. A malicious command line argument can inject arbitrary commands and achieve code execution even if the shell option is not enabled. • https://nodejs.org/en/blog/vulnerability/july-2024-security-releases • CWE-77: Improper Neutralization of Special Elements used in a Command ('Command Injection') •
CVSS: 5.9EPSS: 0%CPEs: 2EXPL: 0CVE-2024-36137 – nodejs: fs.fchown/fchmod bypasses permission model
https://notcve.org/view.php?id=CVE-2024-36137
07 Sep 2024 — A vulnerability has been identified in Node.js, affecting users of the experimental permission model when the --allow-fs-write flag is used. Node.js Permission Model do not operate on file descriptors, however, operations such as fs.fchown or fs.fchmod can use a "read-only" file descriptor to change the owner and permissions of a file. A flaw was found in Node.js, affecting users of the experimental permission model when the --allow-fs-write flag is used. The Node.js Permission Model does not operate on fil... • https://nodejs.org/en/blog/vulnerability/july-2024-security-releases • CWE-732: Incorrect Permission Assignment for Critical Resource •
CVSS: 2.0EPSS: 0%CPEs: 1EXPL: 0CVE-2024-38372 – Undici vulnerable to data leak when using response.arrayBuffer()
https://notcve.org/view.php?id=CVE-2024-38372
08 Jul 2024 — Undici is an HTTP/1.1 client, written from scratch for Node.js. Depending on network and process conditions of a `fetch()` request, `response.arrayBuffer()` might include portion of memory from the Node.js process. This has been patched in v6.19.2. Undici es un cliente HTTP/1.1, escrito desde cero para Node.js. Dependiendo de las condiciones de la red y del proceso de una solicitud `fetch()`, `response.arrayBuffer()` podría incluir parte de la memoria del proceso Node.js. • https://github.com/nodejs/undici/commit/f979ec3204ca489abf30e7d20e9fee9ea7711d36 • CWE-201: Insertion of Sensitive Information Into Sent Data •
CVSS: 4.3EPSS: 0%CPEs: 2EXPL: 0CVE-2024-30260 – Undici's Proxy-Authorization header not cleared on cross-origin redirect for dispatch, request, stream, pipeline
https://notcve.org/view.php?id=CVE-2024-30260
04 Apr 2024 — Undici is an HTTP/1.1 client, written from scratch for Node.js. Undici cleared Authorization and Proxy-Authorization headers for `fetch()`, but did not clear them for `undici.request()`. This vulnerability was patched in version(s) 5.28.4 and 6.11.1. Undici es un cliente HTTP/1.1, escrito desde cero para Node.js. Undici borró los encabezados Authorization y Proxy-Authorization para `fetch()`, pero no los borró para `undici.request()`. • https://github.com/nodejs/undici/commit/64e3402da4e032e68de46acb52800c9a06aaea3f • CWE-285: Improper Authorization •