Nodejs

Nodejs

23 vulnerabilities found.

Hinweis: Diese Liste kann unvollständig sein. Daten werden ohne Gewähr im Ursprungsformat bereitgestellt.
7.5

CVE-2025-27210

  • EPSS 1.91%
  • Published 18.07.2025 22:54:27
  • Last modified 22.07.2025 13:06:07

An incomplete fix has been identified for CVE-2025-23084 in Node.js, specifically affecting Windows device names like CON, PRN, and AUX. This vulnerability affects Windows users of `path.join` API.

7.5

CVE-2025-23166

  • EPSS 0.12%
  • Published 19.05.2025 01:25:08
  • Last modified 19.05.2025 15:15:23

The C++ method SignTraits::DeriveBits() may incorrectly call ThrowException() based on user-supplied inputs when executing in a background thread, crashing the Node.js process. Such cryptographic operations are commonly applied to untrusted inputs. T...

6.5

CVE-2025-47153

  • EPSS 0.07%
  • Published 01.05.2025 07:15:58
  • Last modified 02.05.2025 19:15:55

Certain build processes for libuv and Node.js for 32-bit systems, such as for the nodejs binary package through nodejs_20.19.0+dfsg-2_i386.deb for Debian GNU/Linux, have an inconsistent off_t size (e.g., building on i386 Debian always uses _FILE_OFFS...

7.7

CVE-2025-23090

  • EPSS 0.01%
  • Published 22.01.2025 02:15:34
  • Last modified 18.07.2025 23:15:22

Rejected reason: This CVE record has been withdrawn due to a duplicate entry CVE-2025-23083.

3.6

CVE-2024-37372

  • EPSS 0.05%
  • Published 09.01.2025 01:15:08
  • Last modified 02.05.2025 23:15:15

The Permission Model assumes that any path starting with two backslashes \ has a four-character prefix that can be ignored, which is not always true. This subtle bug leads to vulnerable edge cases.

8.1

CVE-2024-27980

  • EPSS 0.23%
  • Published 09.01.2025 01:15:08
  • Last modified 09.01.2025 22:15:27

Due to the improper handling of batch files in child_process.spawn / child_process.spawnSync, a malicious command line argument can inject arbitrary commands and achieve code execution even if the shell option is not enabled.

7.5

CVE-2023-30583

  • EPSS 0.01%
  • Published 07.09.2024 16:15:02
  • Last modified 21.11.2024 08:00:27

fs.openAsBlob() can bypass the experimental permission model when using the file system read restriction with the `--allow-fs-read` flag in Node.js 20. This flaw arises from a missing check in the `fs.openAsBlob()` API. Please note that at the time ...

8.1

CVE-2024-36138

  • EPSS 0.1%
  • Published 07.09.2024 16:15:02
  • Last modified 21.11.2024 09:21:41

Bypass incomplete fix of CVE-2024-27980, that arises from improper handling of batch files with all possible extensions on Windows via child_process.spawn / child_process.spawnSync. A malicious command line argument can inject arbitrary commands and ...

7.4

CVE-2023-46809

  • EPSS 0.96%
  • Published 07.09.2024 16:15:02
  • Last modified 09.09.2024 18:35:01

Node.js versions which bundle an unpatched version of OpenSSL or run against a dynamically linked version of OpenSSL which are unpatched are vulnerable to the Marvin Attack - https://people.redhat.com/~hkario/marvin/, if PCKS #1 v1.5 padding is allow...

5.3

CVE-2023-39333

  • EPSS 0.09%
  • Published 07.09.2024 16:15:02
  • Last modified 21.11.2024 08:15:10

Maliciously crafted export names in an imported WebAssembly module can inject JavaScript code. The injected code may be able to access data and functions that the WebAssembly module itself does not have access to, similar to as if the WebAssembly mod...