CVSS: 9.8EPSS: 2%CPEs: 1EXPL: 0CVE-2024-3566 – Command injection vulnerability in programing languages on Microsoft Windows operating system.
https://notcve.org/view.php?id=CVE-2024-3566
10 Apr 2024 — A command inject vulnerability allows an attacker to perform command injection on Windows applications that indirectly depend on the CreateProcess function when the specific conditions are satisfied. • https://flatt.tech/research/posts/batbadbut-you-cant-securely-execute-commands-on-windows •
CVSS: 7.8EPSS: 0%CPEs: 7EXPL: 0CVE-2023-23918 – Node.js: Permissions policies can be bypassed via process.mainModule
https://notcve.org/view.php?id=CVE-2023-23918
23 Feb 2023 — A privilege escalation vulnerability exists in Node.js <19.6.1, <18.14.1, <16.19.1 and <14.21.3 that made it possible to bypass the experimental Permissions (https://nodejs.org/api/permissions.html) feature in Node.js and access non authorized modules by using process.mainModule.require(). This only affects users who had enabled the experimental permissions option with --experimental-policy. Node.js is a software development platform for building fast and scalable network applications in the JavaScript prog... • https://nodejs.org/en/blog/vulnerability/february-2023-security-releases • CWE-863: Incorrect Authorization •
CVSS: 7.8EPSS: 4%CPEs: 7EXPL: 1CVE-2023-23919 – Node.js: OpenSSL error handling issues in nodejs crypto library
https://notcve.org/view.php?id=CVE-2023-23919
23 Feb 2023 — A cryptographic vulnerability exists in Node.js <19.2.0, <18.14.1, <16.19.1, <14.21.3 that in some cases did does not clear the OpenSSL error stack after operations that may set it. This may lead to false positive errors during subsequent cryptographic operations that happen to be on the same thread. This in turn could be used to cause a denial of service. Morgan Jones discovered that Node.js incorrectly handled certain inputs that leads to false positive errors during some cryptographic operations. If a us... • https://hackerone.com/reports/1808596 • CWE-310: Cryptographic Issues •
CVSS: 4.3EPSS: 0%CPEs: 8EXPL: 0CVE-2023-23920 – Node.js: insecure loading of ICU data through ICU_DATA environment variable
https://notcve.org/view.php?id=CVE-2023-23920
23 Feb 2023 — An untrusted search path vulnerability exists in Node.js. <19.6.1, <18.14.1, <16.19.1, and <14.21.3 that could allow an attacker to search and potentially load ICU data when running with elevated privileges. Morgan Jones discovered that Node.js incorrectly handled certain inputs that leads to false positive errors during some cryptographic operations. If a user or an automated system were tricked into opening a specially crafted input file, a remote attacker could possibly use this issue to cause a denial o... • https://lists.debian.org/debian-lts-announce/2023/02/msg00038.html • CWE-426: Untrusted Search Path •
CVSS: 8.1EPSS: 0%CPEs: 9EXPL: 0CVE-2022-43548 – nodejs: DNS rebinding in inspect via invalid octal IP address
https://notcve.org/view.php?id=CVE-2022-43548
05 Dec 2022 — A OS Command Injection vulnerability exists in Node.js versions <14.21.1, <16.18.1, <18.12.1, <19.0.1 due to an insufficient IsAllowedHost check that can easily be bypassed because IsIPAddress does not properly check if an IP address is invalid before making DBS requests allowing rebinding attacks.The fix for this issue in https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-32212 was incomplete and this new CVE is to complete the fix. Existe una vulnerabilidad de inyección de comandos del Sistema Operat... • https://lists.debian.org/debian-lts-announce/2023/02/msg00038.html • CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') CWE-350: Reliance on Reverse DNS Resolution for a Security-Critical Action •
CVSS: 6.5EPSS: 3%CPEs: 11EXPL: 1CVE-2022-35256 – nodejs: HTTP Request Smuggling due to incorrect parsing of header fields
https://notcve.org/view.php?id=CVE-2022-35256
18 Oct 2022 — The llhttp parser in the http module in Node v18.7.0 does not correctly handle header fields that are not terminated with CLRF. This may result in HTTP Request Smuggling. El analizador llhttp en el módulo http en Node v18.7.0 no maneja correctamente los campos de encabezado que no terminan con CLRF. Esto puede resultar en tráfico ilegal de solicitudes HTTP. A vulnerability was found in NodeJS due to improper validation of HTTP requests. • https://cert-portal.siemens.com/productcert/pdf/ssa-332410.pdf • CWE-444: Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling') •
CVSS: 7.3EPSS: 6%CPEs: 6EXPL: 1CVE-2022-32223
https://notcve.org/view.php?id=CVE-2022-32223
14 Jul 2022 — Node.js is vulnerable to Hijack Execution Flow: DLL Hijacking under certain conditions on Windows platforms.This vulnerability can be exploited if the victim has the following dependencies on a Windows machine:* OpenSSL has been installed and “C:\Program Files\Common Files\SSL\openssl.cnf” exists.Whenever the above conditions are present, `node.exe` will search for `providers.dll` in the current user directory.After that, `node.exe` will try to search for `providers.dll` by the DLL Search Order in Windows.I... • https://github.com/ianyong/cve-2022-32223 • CWE-427: Uncontrolled Search Path Element •
CVSS: 8.1EPSS: 0%CPEs: 13EXPL: 0CVE-2022-32212 – nodejs: DNS rebinding in --inspect via invalid IP addresses
https://notcve.org/view.php?id=CVE-2022-32212
14 Jul 2022 — A OS Command Injection vulnerability exists in Node.js versions <14.20.0, <16.20.0, <18.5.0 due to an insufficient IsAllowedHost check that can easily be bypassed because IsIPAddress does not properly check if an IP address is invalid before making DBS requests allowing rebinding attacks. Se presenta una vulnerabilidad de inyección de comandos en el Sistema Operativo en Node.js versiones anteriores a 14.20.0, anteriores a 16.16.0, anteriores a 18.5.0, debido a una comprobación insuficiente de IsAllowedHost ... • https://hackerone.com/reports/1632921 • CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') CWE-284: Improper Access Control CWE-703: Improper Check or Handling of Exceptional Conditions •
CVSS: 6.5EPSS: 89%CPEs: 15EXPL: 1CVE-2022-32213 – nodejs: HTTP request smuggling due to flawed parsing of Transfer-Encoding
https://notcve.org/view.php?id=CVE-2022-32213
14 Jul 2022 — The llhttp parser
CVSS: 6.5EPSS: 68%CPEs: 9EXPL: 1CVE-2022-32214 – nodejs: HTTP request smuggling due to improper delimiting of header fields
https://notcve.org/view.php?id=CVE-2022-32214
14 Jul 2022 — The llhttp parser