CVSS: 3.7EPSS: 0%CPEs: 19EXPL: 0CVE-2025-23165 – nodejs: Memory Leak in Node.js ReadFileUtf8 Binding Leading to DoS
https://notcve.org/view.php?id=CVE-2025-23165
19 May 2025 — In Node.js, the `ReadFileUtf8` internal binding leaks memory due to a corrupted pointer in `uv_fs_s.file`: a UTF-16 path buffer is allocated but subsequently overwritten when the file descriptor is set. This results in an unrecoverable memory leak on every call. Repeated use can cause unbounded memory growth, leading to a denial of service. Impact: * This vulnerability affects APIs relying on `ReadFileUtf8` on Node.js release lines: v20 and v22. A flaw was found in the ReadFileUtf8 internal binding of Node.... • https://nodejs.org/en/blog/vulnerability/may-2025-security-releases • CWE-401: Missing Release of Memory after Effective Lifetime •
CVSS: 7.8EPSS: 0%CPEs: 21EXPL: 0CVE-2025-23166 – nodejs: Remote Crash via SignTraits::DeriveBits() in Node.js
https://notcve.org/view.php?id=CVE-2025-23166
19 May 2025 — The C++ method SignTraits::DeriveBits() may incorrectly call ThrowException() based on user-supplied inputs when executing in a background thread, crashing the Node.js process. Such cryptographic operations are commonly applied to untrusted inputs. Thus, this mechanism potentially allows an adversary to remotely crash a Node.js runtime. A flaw was found in Node.js, specifically in the C++ method SignTraits::DeriveBits(). This vulnerability can allow a remote attacker to crash the Node.js runtime via untrust... • https://nodejs.org/en/blog/vulnerability/may-2025-security-releases • CWE-248: Uncaught Exception •
CVSS: 6.5EPSS: 0%CPEs: 17EXPL: 0CVE-2025-23167 – nodejs: Improper HTTP Header Termination in Node.js 20 Enables Request Smuggling
https://notcve.org/view.php?id=CVE-2025-23167
19 May 2025 — A flaw in Node.js 20's HTTP parser allows improper termination of HTTP/1 headers using `\r\n\rX` instead of the required `\r\n\r\n`. This inconsistency enables request smuggling, allowing attackers to bypass proxy-based access controls and submit unauthorized requests. The issue was resolved by upgrading `llhttp` to version 9, which enforces correct header termination. Impact: * This vulnerability affects only Node.js 20.x users prior to the `llhttp` v9 upgrade. A flaw was found in the HTTP parser of Node.j... • https://nodejs.org/en/blog/vulnerability/may-2025-security-releases • CWE-444: Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling') •
CVSS: 3.1EPSS: 0%CPEs: 3EXPL: 0CVE-2025-47279 – undici Denial of Service attack via bad certificate data
https://notcve.org/view.php?id=CVE-2025-47279
15 May 2025 — Undici is an HTTP/1.1 client for Node.js. Prior to versions 5.29.0, 6.21.2, and 7.5.0, applications that use undici to implement a webhook-like system are vulnerable. If the attacker set up a server with an invalid certificate, and they can force the application to call the webhook repeatedly, then they can cause a memory leak. This has been patched in versions 5.29.0, 6.21.2, and 7.5.0. As a workaound, avoid calling a webhook repeatedly if the webhook fails. • https://github.com/nodejs/undici/security/advisories/GHSA-cxrh-j4jr-qwg3 • CWE-401: Missing Release of Memory after Effective Lifetime •
CVSS: 5.6EPSS: 0%CPEs: 20EXPL: 0CVE-2025-23084
https://notcve.org/view.php?id=CVE-2025-23084
28 Jan 2025 — A vulnerability has been identified in Node.js, specifically affecting the handling of drive names in the Windows environment. Certain Node.js functions do not treat drive names as special on Windows. As a result, although Node.js assumes a relative path, it actually refers to the root directory. On Windows, a path that does not start with the file separator is treated as relative to the current directory. This vulnerability affects Windows users of `path.join` API. • https://nodejs.org/en/blog/vulnerability/january-2025-security-releases • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •
CVSS: 5.3EPSS: 0%CPEs: 20EXPL: 0CVE-2025-23085 – nodejs: GOAWAY HTTP/2 frames cause memory leak outside heap
https://notcve.org/view.php?id=CVE-2025-23085
24 Jan 2025 — A memory leak could occur when a remote peer abruptly closes the socket without sending a GOAWAY notification. Additionally, if an invalid header was detected by nghttp2, causing the connection to be terminated by the peer, the same leak was triggered. This flaw could lead to increased memory consumption and potential denial of service under certain conditions. This vulnerability affects HTTP/2 Server users on Node.js v18.x, v20.x, v22.x and v23.x. A vulnerability was found in NodeJS when handling HTTP/2 co... • https://nodejs.org/en/blog/vulnerability/january-2025-security-releases • CWE-400: Uncontrolled Resource Consumption CWE-401: Missing Release of Memory after Effective Lifetime •
CVSS: 7.7EPSS: 0%CPEs: 19EXPL: 0CVE-2025-23083 – nodejs: Node.js Worker Thread Exposure via Diagnostics Channel
https://notcve.org/view.php?id=CVE-2025-23083
22 Jan 2025 — With the aid of the diagnostics_channel utility, an event can be hooked into whenever a worker thread is created. This is not limited only to workers but also exposes internal workers, where an instance of them can be fetched, and its constructor can be grabbed and reinstated for malicious usage. This vulnerability affects Permission Model users (--permission) on Node.js v20, v22, and v23. A flaw was found in the Node.js diagnostics_channel. This vulnerability allows an attacker to reinstate and misuse work... • https://nodejs.org/en/blog/vulnerability/january-2025-security-releases • CWE-284: Improper Access Control CWE-863: Incorrect Authorization •
CVSS: 7.1EPSS: 0%CPEs: 3EXPL: 0CVE-2025-22150 – Undici Uses Insufficiently Random Values
https://notcve.org/view.php?id=CVE-2025-22150
21 Jan 2025 — Undici is an HTTP/1.1 client. Starting in version 4.5.0 and prior to versions 5.28.5, 6.21.1, and 7.2.3, undici uses `Math.random()` to choose the boundary for a multipart/form-data request. It is known that the output of `Math.random()` can be predicted if several of its generated values are known. If there is a mechanism in an app that sends multipart requests to an attacker-controlled website, they can use this to leak the necessary values. Therefore, an attacker can tamper with the requests going to the... • https://blog.securityevaluators.com/hacking-the-javascript-lottery-80cc437e3b7f • CWE-330: Use of Insufficiently Random Values •
CVSS: 5.9EPSS: 0%CPEs: 18EXPL: 0CVE-2024-37372 – Gentoo Linux Security Advisory 202505-11
https://notcve.org/view.php?id=CVE-2024-37372
31 Oct 2024 — The Permission Model assumes that any path starting with two backslashes \ has a four-character prefix that can be ignored, which is not always true. This subtle bug leads to vulnerable edge cases. Multiple vulnerabilities have been discovered in Node.js, the worst of which could lead to execution of arbitrary code. Versions greater than or equal to 22.4.1 are affected. • http://www.openwall.com/lists/oss-security/2024/07/11/6 • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •
CVSS: 10.0EPSS: 0%CPEs: 5EXPL: 0CVE-2024-48948 – SUSE Security Advisory - SUSE-SU-2024:3771-1
https://notcve.org/view.php?id=CVE-2024-48948
15 Oct 2024 — The Elliptic package 6.5.7 for Node.js, in its for ECDSA implementation, does not correctly verify valid signatures if the hash contains at least four leading 0 bytes and when the order of the elliptic curve's base point is smaller than the hash, because of an _truncateToN anomaly. This leads to valid signatures being rejected. Legitimate transactions or communications may be incorrectly flagged as invalid. This update for pgadmin4 fixes the following issues. Fixed socket.io: unhandled 'error' event. • https://github.com/indutny/elliptic/issues/321 • CWE-347: Improper Verification of Cryptographic Signature •