CVSS: 8.5EPSS: 0%CPEs: 3EXPL: 0CVE-2024-27980
https://notcve.org/view.php?id=CVE-2024-27980
09 Jan 2025 — Due to the improper handling of batch files in child_process.spawn / child_process.spawnSync, a malicious command line argument can inject arbitrary commands and achieve code execution even if the shell option is not enabled. • http://www.openwall.com/lists/oss-security/2024/04/10/15 • CWE-77: Improper Neutralization of Special Elements used in a Command ('Command Injection') •
CVSS: 7.6EPSS: 0%CPEs: 3EXPL: 0CVE-2024-22020 – nodejs: Bypass network import restriction via data URL
https://notcve.org/view.php?id=CVE-2024-22020
09 Jul 2024 — A security flaw in Node.js allows a bypass of network import restrictions. By embedding non-network imports in data URLs, an attacker can execute arbitrary code, compromising system security. Verified on various platforms, the vulnerability is mitigated by forbidding data URLs in network imports. Exploiting this flaw can violate network import security, posing a risk to developers and servers. Un fallo de seguridad en Node.js permite eludir las restricciones de importación de la red. Al incorporar importaci... • http://www.openwall.com/lists/oss-security/2024/07/11/6 • CWE-94: Improper Control of Generation of Code ('Code Injection') CWE-284: Improper Access Control •
CVSS: 9.8EPSS: 2%CPEs: 1EXPL: 0CVE-2024-3566 – Command injection vulnerability in programing languages on Microsoft Windows operating system.
https://notcve.org/view.php?id=CVE-2024-3566
10 Apr 2024 — A command inject vulnerability allows an attacker to perform command injection on Windows applications that indirectly depend on the CreateProcess function when the specific conditions are satisfied. • https://flatt.tech/research/posts/batbadbut-you-cant-securely-execute-commands-on-windows •
CVSS: 7.8EPSS: 0%CPEs: 3EXPL: 0CVE-2024-22025 – nodejs: using the fetch() function to retrieve content from an untrusted URL leads to denial of service
https://notcve.org/view.php?id=CVE-2024-22025
19 Mar 2024 — A vulnerability in Node.js has been identified, allowing for a Denial of Service (DoS) attack through resource exhaustion when using the fetch() function to retrieve content from an untrusted URL. The vulnerability stems from the fact that the fetch() function in Node.js always decodes Brotli, making it possible for an attacker to cause resource exhaustion when fetching content from an untrusted URL. An attacker controlling the URL passed into fetch() can exploit this vulnerability to exhaust memory, potent... • https://hackerone.com/reports/2284065 • CWE-400: Uncontrolled Resource Consumption CWE-404: Improper Resource Shutdown or Release •
CVSS: 9.8EPSS: 0%CPEs: 3EXPL: 0CVE-2024-21892 – nodejs: code injection and privilege escalation through Linux capabilities
https://notcve.org/view.php?id=CVE-2024-21892
20 Feb 2024 — On Linux, Node.js ignores certain environment variables if those may have been set by an unprivileged user while the process is running with elevated privileges with the only exception of CAP_NET_BIND_SERVICE. Due to a bug in the implementation of this exception, Node.js incorrectly applies this exception even when certain other capabilities have been set. This allows unprivileged users to inject code that inherits the process's elevated privileges. En Linux, Node.js ignora ciertas variables de entorno si p... • http://www.openwall.com/lists/oss-security/2024/03/11/1 • CWE-94: Improper Control of Generation of Code ('Code Injection') CWE-269: Improper Privilege Management •
CVSS: 5.3EPSS: 0%CPEs: 2EXPL: 0CVE-2023-39333 – nodejs: code injection via WebAssembly export names
https://notcve.org/view.php?id=CVE-2023-39333
28 Dec 2023 — Maliciously crafted export names in an imported WebAssembly module can inject JavaScript code. The injected code may be able to access data and functions that the WebAssembly module itself does not have access to, similar to as if the WebAssembly module was a JavaScript module. This vulnerability affects users of any active release line of Node.js. The vulnerable feature is only available if Node.js is started with the `--experimental-wasm-modules` command line option. Maliciously crafted export names in an... • https://nodejs.org/en/blog/vulnerability/october-2023-security-releases • CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVSS: 7.8EPSS: 0%CPEs: 3EXPL: 0CVE-2023-30585
https://notcve.org/view.php?id=CVE-2023-30585
28 Nov 2023 — A vulnerability has been identified in the Node.js (.msi version) installation process, specifically affecting Windows users who install Node.js using the .msi installer. This vulnerability emerges during the repair operation, where the "msiexec.exe" process, running under the NT AUTHORITY\SYSTEM context, attempts to read the %USERPROFILE% environment variable from the current user's registry. The issue arises when the path referenced by the %USERPROFILE% environment variable does not exist. In such cases, ... • https://nodejs.org/en/blog/vulnerability/june-2023-security-releases •
CVSS: 7.8EPSS: 0%CPEs: 5EXPL: 0CVE-2023-38552 – nodejs: integrity checks according to policies can be circumvented
https://notcve.org/view.php?id=CVE-2023-38552
18 Oct 2023 — When the Node.js policy feature checks the integrity of a resource against a trusted manifest, the application can intercept the operation and return a forged checksum to the node's policy implementation, thus effectively disabling the integrity check. Impacts: This vulnerability affects all users using the experimental policy mechanism in all active release lines: 18.x and, 20.x. Please note that at the time this CVE was issued, the policy mechanism is an experimental feature of Node.js. Cuando la función ... • https://hackerone.com/reports/2094235 • CWE-345: Insufficient Verification of Data Authenticity CWE-354: Improper Validation of Integrity Check Value •
CVSS: 7.8EPSS: 94%CPEs: 444EXPL: 17CVE-2023-44487 – HTTP/2 Rapid Reset Attack Vulnerability
https://notcve.org/view.php?id=CVE-2023-44487
10 Oct 2023 — The HTTP/2 protocol allows a denial of service (server resource consumption) because request cancellation can reset many streams quickly, as exploited in the wild in August through October 2023. El protocolo HTTP/2 permite una denegación de servicio (consumo de recursos del servidor) porque la cancelación de solicitudes puede restablecer muchas transmisiones rápidamente, como se explotó en la naturaleza entre agosto y octubre de 2023. A flaw was found in handling multiplexed streams in the HTTP/2 protocol. ... • https://github.com/imabee101/CVE-2023-44487 • CWE-400: Uncontrolled Resource Consumption •
CVSS: 7.5EPSS: 0%CPEs: 3EXPL: 1CVE-2023-32559 – nodejs: Permissions policies can be bypassed via process.binding
https://notcve.org/view.php?id=CVE-2023-32559
24 Aug 2023 — A privilege escalation vulnerability exists in the experimental policy mechanism in all active release lines: 16.x, 18.x and, 20.x. The use of the deprecated API `process.binding()` can bypass the policy mechanism by requiring internal modules and eventually take advantage of `process.binding('spawn_sync')` run arbitrary code, outside of the limits defined in a `policy.json` file. Please note that at the time this CVE was issued, the policy is an experimental feature of Node.js. Existe una vulnerabilidad de... • https://hackerone.com/reports/1946470 • CWE-94: Improper Control of Generation of Code ('Code Injection') CWE-269: Improper Privilege Management •