Nodejs

Nodejs

23 Schwachstellen gefunden.

Hinweis: Diese Liste kann unvollständig sein. Daten werden ohne Gewähr im Ursprungsformat bereitgestellt.
7.5

CVE-2025-27210

  • EPSS 1.91%
  • Veröffentlicht 18.07.2025 22:54:27
  • Zuletzt bearbeitet 22.07.2025 13:06:07

An incomplete fix has been identified for CVE-2025-23084 in Node.js, specifically affecting Windows device names like CON, PRN, and AUX. This vulnerability affects Windows users of `path.join` API.

7.5

CVE-2025-23166

  • EPSS 0.12%
  • Veröffentlicht 19.05.2025 01:25:08
  • Zuletzt bearbeitet 19.05.2025 15:15:23

The C++ method SignTraits::DeriveBits() may incorrectly call ThrowException() based on user-supplied inputs when executing in a background thread, crashing the Node.js process. Such cryptographic operations are commonly applied to untrusted inputs. T...

6.5

CVE-2025-47153

  • EPSS 0.07%
  • Veröffentlicht 01.05.2025 07:15:58
  • Zuletzt bearbeitet 02.05.2025 19:15:55

Certain build processes for libuv and Node.js for 32-bit systems, such as for the nodejs binary package through nodejs_20.19.0+dfsg-2_i386.deb for Debian GNU/Linux, have an inconsistent off_t size (e.g., building on i386 Debian always uses _FILE_OFFS...

7.7

CVE-2025-23090

  • EPSS 0.01%
  • Veröffentlicht 22.01.2025 02:15:34
  • Zuletzt bearbeitet 18.07.2025 23:15:22

Rejected reason: This CVE record has been withdrawn due to a duplicate entry CVE-2025-23083.

3.6

CVE-2024-37372

  • EPSS 0.05%
  • Veröffentlicht 09.01.2025 01:15:08
  • Zuletzt bearbeitet 02.05.2025 23:15:15

The Permission Model assumes that any path starting with two backslashes \ has a four-character prefix that can be ignored, which is not always true. This subtle bug leads to vulnerable edge cases.

8.1

CVE-2024-27980

  • EPSS 0.23%
  • Veröffentlicht 09.01.2025 01:15:08
  • Zuletzt bearbeitet 09.01.2025 22:15:27

Due to the improper handling of batch files in child_process.spawn / child_process.spawnSync, a malicious command line argument can inject arbitrary commands and achieve code execution even if the shell option is not enabled.

7.5

CVE-2023-30583

  • EPSS 0.01%
  • Veröffentlicht 07.09.2024 16:15:02
  • Zuletzt bearbeitet 21.11.2024 08:00:27

fs.openAsBlob() can bypass the experimental permission model when using the file system read restriction with the `--allow-fs-read` flag in Node.js 20. This flaw arises from a missing check in the `fs.openAsBlob()` API. Please note that at the time ...

8.1

CVE-2024-36138

  • EPSS 0.1%
  • Veröffentlicht 07.09.2024 16:15:02
  • Zuletzt bearbeitet 21.11.2024 09:21:41

Bypass incomplete fix of CVE-2024-27980, that arises from improper handling of batch files with all possible extensions on Windows via child_process.spawn / child_process.spawnSync. A malicious command line argument can inject arbitrary commands and ...

7.4

CVE-2023-46809

  • EPSS 0.96%
  • Veröffentlicht 07.09.2024 16:15:02
  • Zuletzt bearbeitet 09.09.2024 18:35:01

Node.js versions which bundle an unpatched version of OpenSSL or run against a dynamically linked version of OpenSSL which are unpatched are vulnerable to the Marvin Attack - https://people.redhat.com/~hkario/marvin/, if PCKS #1 v1.5 padding is allow...

5.3

CVE-2023-39333

  • EPSS 0.09%
  • Veröffentlicht 07.09.2024 16:15:02
  • Zuletzt bearbeitet 21.11.2024 08:15:10

Maliciously crafted export names in an imported WebAssembly module can inject JavaScript code. The injected code may be able to access data and functions that the WebAssembly module itself does not have access to, similar to as if the WebAssembly mod...