Nodejs

Nodejs

25 Schwachstellen gefunden.

Hinweis: Diese Liste kann unvollständig sein. Daten werden ohne Gewähr im Ursprungsformat bereitgestellt.
7.5

CVE-2025-59465

  • EPSS 0.06%
  • Veröffentlicht 20.01.2026 20:41:55
  • Zuletzt bearbeitet 30.01.2026 20:25:39

A malformed `HTTP/2 HEADERS` frame with oversized, invalid `HPACK` data can cause Node.js to crash by triggering an unhandled `TLSSocket` error `ECONNRESET`. Instead of safely closing the connection, the process crashes, enabling a remote denial of s...

7.5

CVE-2025-59464

  • EPSS 0.06%
  • Veröffentlicht 20.01.2026 20:41:55
  • Zuletzt bearbeitet 30.01.2026 20:26:26

A memory leak in Node.js’s OpenSSL integration occurs when converting `X.509` certificate fields to UTF-8 without freeing the allocated buffer. When applications call `socket.getPeerCertificate(true)`, each certificate field leaks memory, allowing re...

7.5

CVE-2025-27210

  • EPSS 2.17%
  • Veröffentlicht 18.07.2025 22:54:27
  • Zuletzt bearbeitet 04.11.2025 22:16:08

An incomplete fix has been identified for CVE-2025-23084 in Node.js, specifically affecting Windows device names like CON, PRN, and AUX. This vulnerability affects Windows users of `path.join` API.

7.5

CVE-2025-23166

  • EPSS 0.07%
  • Veröffentlicht 19.05.2025 01:25:08
  • Zuletzt bearbeitet 19.05.2025 15:15:23

The C++ method SignTraits::DeriveBits() may incorrectly call ThrowException() based on user-supplied inputs when executing in a background thread, crashing the Node.js process. Such cryptographic operations are commonly applied to untrusted inputs. T...

6.5

CVE-2025-47153

  • EPSS 0.21%
  • Veröffentlicht 01.05.2025 07:15:58
  • Zuletzt bearbeitet 02.05.2025 19:15:55

Certain build processes for libuv and Node.js for 32-bit systems, such as for the nodejs binary package through nodejs_20.19.0+dfsg-2_i386.deb for Debian GNU/Linux, have an inconsistent off_t size (e.g., building on i386 Debian always uses _FILE_OFFS...

7.7

CVE-2025-23090

  • EPSS 0.01%
  • Veröffentlicht 22.01.2025 02:15:34
  • Zuletzt bearbeitet 18.07.2025 23:15:22

Rejected reason: This CVE record has been withdrawn due to a duplicate entry CVE-2025-23083.

3.6

CVE-2024-37372

  • EPSS 0.05%
  • Veröffentlicht 09.01.2025 01:15:08
  • Zuletzt bearbeitet 02.05.2025 23:15:15

The Permission Model assumes that any path starting with two backslashes \ has a four-character prefix that can be ignored, which is not always true. This subtle bug leads to vulnerable edge cases.

8.1

CVE-2024-27980

  • EPSS 0.27%
  • Veröffentlicht 09.01.2025 01:15:08
  • Zuletzt bearbeitet 09.01.2025 22:15:27

Due to the improper handling of batch files in child_process.spawn / child_process.spawnSync, a malicious command line argument can inject arbitrary commands and achieve code execution even if the shell option is not enabled.

7.7

CVE-2023-30584

  • EPSS 0.02%
  • Veröffentlicht 07.09.2024 16:15:02
  • Zuletzt bearbeitet 21.11.2024 08:00:27

A vulnerability has been discovered in Node.js version 20, specifically within the experimental permission model. This flaw relates to improper handling of path traversal bypass when verifying file permissions. Please note that at the time this CVE ...

8.1

CVE-2024-36138

  • EPSS 0.26%
  • Veröffentlicht 07.09.2024 16:15:02
  • Zuletzt bearbeitet 21.11.2024 09:21:41

Bypass incomplete fix of CVE-2024-27980, that arises from improper handling of batch files with all possible extensions on Windows via child_process.spawn / child_process.spawnSync. A malicious command line argument can inject arbitrary commands and ...