Every CVE whose affected-product data names Nodejs Node.js, ordered by CVSS severity, with EPSS exploit prediction and CISA KEV status.
CVEs (173)
CVE-2015-0278 — CVSS 10.0 (critical): libuv before 0.10.34 does not properly drop group privileges, which allows context-dependent attackers to gain privileges via unspecified…
CVE-2026-21636 — CVSS 10.0 (critical): A flaw in Node.js's permission model allows Unix Domain Socket (UDS) connections to bypass network restrictions when `--permission` is…
CVE-2026-48930 — CVSS 9.8 (critical): A flaw in Node.js TLS hostname handling can cause Embedded-nul hostnames can lead to silent authority rebinding due to c-string truncation…
CVE-2016-9841 — CVSS 9.8 (critical): inffast.c in zlib 1.2.8 might allow context-dependent attackers to have unspecified impact by leveraging improper pointer arithmetic.
CVE-2023-32002 — CVSS 9.8 (critical): The use of `Module._load()` can bypass the policy mechanism and require modules outside of the policy.json definition for a given module…
CVE-2019-15606 — CVSS 9.8 (critical): Including trailing white space in HTTP header values in Nodejs 10, 12, and 13 causes bypass of authorization based on header value…
CVE-2024-21896 — CVSS 9.8 (critical): The permission model protects itself against path traversal attacks by calling path.resolve() on any paths given by the user. If the path…
CVE-2019-15605 — CVSS 9.8 (critical): HTTP request smuggling in Node.js 10, 12, and 13 causes malicious payload delivery when transfer-encoding is malformed
CVE-2024-3566 — CVSS 9.8 (critical): A command inject vulnerability allows an attacker to perform command injection on Windows applications that indirectly depend on the…
CVE-2016-9843 — CVSS 9.8 (critical): The crc32_big function in crc32.c in zlib 1.2.8 might allow context-dependent attackers to have unspecified impact via vectors involving…
CVE-2023-39332 — CVSS 9.8 (critical): Various `node:fs` functions allow specifying paths as either strings or `Uint8Array` objects. In Node.js environments, the `Buffer` class…
CVE-2021-22931 — CVSS 9.8 (critical): Node.js before 16.6.0, 14.17.4, and 12.22.4 is vulnerable to Remote Code Execution, XSS, Application crashes due to missing input…
CVE-2016-6303 — CVSS 9.8 (critical): Integer overflow in the MDC2_Update function in crypto/mdc2/mdc2dgst.c in OpenSSL before 1.1.0 allows remote attackers to cause a denial of…
CVE-2016-5180 — CVSS 9.8 (critical): Heap-based buffer overflow in the ares_create_query function in c-ares 1.x before 1.12.0 allows remote attackers to cause a denial of…
CVE-2021-22930 — CVSS 9.8 (critical): Node.js before 16.6.0, 14.17.4, and 12.22.4 is vulnerable to a use after free attack where an attacker might be able to exploit the memory…
CVE-2015-6764 — CVSS 9.8 (critical): The BasicJsonStringifier::SerializeJSArray function in json-stringifier.h in the JSON stringifier in Google V8, as used in Google Chrome…
CVE-2017-15896 — CVSS 9.1 (critical): Node.js was affected by OpenSSL vulnerability CVE-2017-3737 in regards to the use of SSL_read() due to TLS handshake failure. The result…
CVE-2025-55130 — CVSS 9.1 (critical): A flaw in Node.js’s Permissions model allows attackers to bypass `--allow-fs-read` and `--allow-fs-write` restrictions using crafted…
CVE-2022-35255 — CVSS 9.1 (critical): A weak randomness in WebCrypto keygen vulnerability exists in Node.js 18 due to a change with EntropySource() in SecretKeyGenTraits::DoKeyGe…
CVE-2024-21891 — CVSS 8.8 (high): Node.js depends on multiple built-in utility functions to normalize paths provided to node:fs functions, which can be overwitten with…
CVE-2016-9842 — CVSS 8.8 (high): The inflateMark function in inflate.c in zlib 1.2.8 might allow context-dependent attackers to have unspecified impact via vectors…
CVE-2023-32006 — CVSS 8.8 (high): The use of `module.constructor.createRequire()` can bypass the policy mechanism and require modules outside of the policy.json definition…
CVE-2018-7160 — CVSS 8.8 (high): The Node.js inspector, in 6.x and later is vulnerable to a DNS rebinding attack which could be exploited to perform remote code execution…
CVE-2016-1669 — CVSS 8.8 (high): The Zone::New function in zone.cc in Google V8 before 5.0.71.47, as used in Google Chrome before 50.0.2661.102, does not properly determine…
CVE-2016-9840 — CVSS 8.8 (high): inftrees.c in zlib 1.2.8 might allow context-dependent attackers to have unspecified impact by leveraging improper pointer arithmetic.
CVE-2020-10531 — CVSS 8.8 (high): An issue was discovered in International Components for Unicode (ICU) for C/C++ through 66.1. An integer overflow, leading to a heap-based…
CVE-2023-32004 — CVSS 8.8 (high): A vulnerability has been discovered in Node.js version 20, specifically within the experimental permission model. This flaw relates to…
CVE-2022-21824 — CVSS 8.2 (high): Due to the formatting logic of the "console.table()" function it was not safe to allow user controlled input to be passed to the…
CVE-2022-32212 — CVSS 8.1 (high): A OS Command Injection vulnerability exists in Node.js versions <14.20.0, <16.20.0, <18.5.0 due to an insufficient IsAllowedHost check that…
CVE-2014-9748 — CVSS 8.1 (high): The uv_rwlock_t fallback implementation for Windows XP and Server 2003 in libuv before 1.7.4 does not properly prevent threads from…
CVE-2020-8265 — CVSS 8.1 (high): Node.js versions before 10.23.1, 12.20.1, 14.15.4, 15.5.1 are vulnerable to a use-after-free bug in its TLS implementation. When writing to…
CVE-2020-8174 — CVSS 8.1 (high): napi_get_value_string_*() allows various kinds of memory corruption in node < 10.21.0, 12.18.0, and < 14.4.0.
CVE-2018-12120 — CVSS 8.1 (high): Node.js: All versions prior to Node.js 6.15.0: Debugger port 5858 listens on any interface by default: When the debugger is enabled with…
CVE-2022-43548 — CVSS 8.1 (high): A OS Command Injection vulnerability exists in Node.js versions <14.21.1, <16.18.1, <18.12.1, <19.0.1 due to an insufficient IsAllowedHost…
CVE-2020-8252 — CVSS 7.8 (high): The implementation of realpath in libuv < 10.22.1, < 12.18.4, and < 14.9.0 used within Node.js incorrectly determined the buffer size which…
CVE-2021-22921 — CVSS 7.8 (high): Node.js before 16.4.1, 14.17.2, and 12.22.2 is vulnerable to local privilege escalation attacks under certain conditions on Windows…
CVE-2024-21892 — CVSS 7.8 (high): On Linux, Node.js ignores certain environment variables if those may have been set by an unprivileged user while the process is running…
CVE-2013-2882 — CVSS 7.5 (high): Google V8, as used in Google Chrome before 28.0.1500.95, allows remote attackers to cause a denial of service or possibly have unspecified…
CVE-2013-6668 — CVSS 7.5 (high): Multiple unspecified vulnerabilities in Google V8 before 3.24.35.10, as used in Google Chrome before 33.0.1750.146, allow attackers to…
CVE-2014-3744 — CVSS 7.5 (high): Directory traversal vulnerability in the st module before 0.2.5 for Node.js allows remote attackers to read arbitrary files via a %2e%2e…
CVE-2015-3193 — CVSS 7.5 (high): The Montgomery squaring implementation in crypto/bn/asm/x86_64-mont5.pl in OpenSSL 1.0.2 before 1.0.2e on the x86_64 platform, as used by…
CVE-2015-3194 — CVSS 7.5 (high): crypto/rsa/rsa_ameth.c in OpenSSL 1.0.1 before 1.0.1q and 1.0.2 before 1.0.2e allows remote attackers to cause a denial of service (NULL…
CVE-2015-5380 — CVSS 7.5 (high): The Utf8DecoderBase::WriteUtf16Slow function in unicode-decoder.cc in Google V8, as used in Node.js before 0.12.6, io.js before 1.8.3 and…
CVE-2015-8027 — CVSS 7.5 (high): Node.js 0.12.x before 0.12.9, 4.x before 4.2.3, and 5.x before 5.1.1 does not ensure the availability of a parser for each HTTP socket…
CVE-2015-8855 — CVSS 7.5 (high): The semver package before 4.3.2 for Node.js allows attackers to cause a denial of service (CPU consumption) via a long version string, aka…
CVE-2015-8860 — CVSS 7.5 (high): The tar package before 2.0.0 for Node.js allows remote attackers to write to arbitrary files via a symlink attack in an archive.
CVE-2016-0797 — CVSS 7.5 (high): Multiple integer overflows in OpenSSL 1.0.1 before 1.0.1s and 1.0.2 before 1.0.2g allow remote attackers to cause a denial of service (heap…
CVE-2016-2086 — CVSS 7.5 (high): Node.js 0.10.x before 0.10.42, 0.12.x before 0.12.10, 4.x before 4.3.0, and 5.x before 5.6.0 allow remote attackers to conduct HTTP request…
CVE-2016-2105 — CVSS 7.5 (high): Integer overflow in the EVP_EncodeUpdate function in crypto/evp/encode.c in OpenSSL before 1.0.1t and 1.0.2 before 1.0.2h allows remote…
CVE-2016-2183 — CVSS 7.5 (high): The DES and Triple DES ciphers, as used in the TLS, SSH, and IPSec protocols and other protocols and products, have a birthday bound of…
CVE-2016-2216 — CVSS 7.5 (high): The HTTP header parsing code in Node.js 0.10.x before 0.10.42, 0.11.6 through 0.11.16, 0.12.x before 0.12.10, 4.x before 4.3.0, and 5.x…
CVE-2016-3956 — CVSS 7.5 (high): The CLI in npm before 2.15.1 and 3.x before 3.8.3, as used in Node.js 0.10 before 0.10.44, 0.12 before 0.12.13, 4 before 4.4.2, and 5…
CVE-2016-6304 — CVSS 7.5 (high): Multiple memory leaks in t1_lib.c in OpenSSL before 1.0.1u, 1.0.2 before 1.0.2i, and 1.1.0 before 1.1.0a allow remote attackers to cause a…
CVE-2016-7052 — CVSS 7.5 (high): crypto/x509/x509_vfy.c in OpenSSL 1.0.2i allows remote attackers to cause a denial of service (NULL pointer dereference and application…
CVE-2017-1000381 — CVSS 7.5 (high): The c-ares function `ares_parse_naptr_reply()`, which is used for parsing NAPTR responses, could be triggered to read memory outside of the…
CVE-2017-11499 — CVSS 7.5 (high): Node.js v4.0 through v4.8.3, all versions of v5.x, v6.0 through v6.11.0, v7.0 through v7.10.0, and v8.0 through v8.1.3 was susceptible to…
CVE-2017-14849 — CVSS 7.5 (high): Node.js 8.5.0 before 8.6.0 allows remote attackers to access unintended files, because a change to ".." handling was incompatible with the…
CVE-2017-14919 — CVSS 7.5 (high): Node.js before 4.8.5, 6.x before 6.11.5, and 8.x before 8.8.0 allows remote attackers to cause a denial of service (uncaught exception and…
CVE-2017-3731 — CVSS 7.5 (high): If an SSL/TLS server or client is running on a 32-bit host, and a specific cipher is being used, then a truncated packet can cause that…
CVE-2018-0732 — CVSS 7.5 (high): During key agreement in a TLS handshake using a DH(E) based ciphersuite a malicious server can send a very large prime value to the client…
CVE-2018-1000168 — CVSS 7.5 (high): nghttp2 version >= 1.10.0 and nghttp2 <= v1.31.0 contains an Improper Input Validation CWE-20 vulnerability in ALTSVC frame handling that…
CVE-2018-12115 — CVSS 7.5 (high): In all versions of Node.js prior to 6.14.4, 8.11.4 and 10.9.0 when used with UCS-2 encoding (recognized by Node.js under the names…
CVE-2018-12116 — CVSS 7.5 (high): Node.js: All versions prior to Node.js 6.15.0 and 8.14.0: HTTP request splitting: If Node.js can be convinced to use unsanitized…
CVE-2018-12121 — CVSS 7.5 (high): Node.js: All versions prior to Node.js 6.15.0, 8.14.0, 10.14.0 and 11.3.0: Denial of Service with large HTTP headers: By using a…
CVE-2018-12122 — CVSS 7.5 (high): Node.js: All versions prior to Node.js 6.15.0, 8.14.0, 10.14.0 and 11.3.0: Slowloris HTTP Denial of Service: An attacker can cause a Denial…
CVE-2018-7158 — CVSS 7.5 (high): The `'path'` module in the Node.js 4.x release line contains a potential regular expression denial of service (ReDoS) vector. The code in…
CVE-2018-7161 — CVSS 7.5 (high): All versions of Node.js 8.x, 9.x, and 10.x are vulnerable and the severity is HIGH. An attacker can cause a denial of service (DoS) by…
CVE-2018-7162 — CVSS 7.5 (high): All versions of Node.js 9.x and 10.x are vulnerable and the severity is HIGH. An attacker can cause a denial of service (DoS) by causing a…
CVE-2018-7164 — CVSS 7.5 (high): Node.js versions 9.7.0 and later and 10.x are vulnerable and the severity is MEDIUM. A bug introduced in 9.7.0 increases the memory…
CVE-2018-7166 — CVSS 7.5 (high): In all versions of Node.js 10 prior to 10.9.0, an argument processing flaw can cause `Buffer.alloc()` to return uninitialized memory. This…
CVE-2018-7167 — CVSS 7.5 (high): Calling Buffer.fill() or Buffer.alloc() with some parameters can lead to a hang which could result in a Denial of Service. In order to…
CVE-2019-15604 — CVSS 7.5 (high): Improper Certificate Validation in Node.js 10, 12, and 13 causes the process to abort when sending a crafted X.509 certificate
CVE-2019-5737 — CVSS 7.5 (high): In Node.js including 6.x before 6.17.0, 8.x before 8.15.1, 10.x before 10.15.2, and 11.x before 11.10.1, an attacker can cause a Denial of…
CVE-2019-5739 — CVSS 7.5 (high): Keep-alive HTTP and HTTPS connections can remain open and inactive for up to 2 minutes in Node.js 6.16.0 and earlier. Node.js 8.0.0…
CVE-2019-9511 — CVSS 7.5 (high): Some HTTP/2 implementations are vulnerable to window size manipulation and stream prioritization manipulation, potentially leading to a…
CVE-2019-9512 — CVSS 7.5 (high): Some HTTP/2 implementations are vulnerable to ping floods, potentially leading to a denial of service. The attacker sends continual pings…
CVE-2019-9513 — CVSS 7.5 (high): Some HTTP/2 implementations are vulnerable to resource loops, potentially leading to a denial of service. The attacker creates multiple…
CVE-2019-9514 — CVSS 7.5 (high): Some HTTP/2 implementations are vulnerable to a reset flood, potentially leading to a denial of service. The attacker opens a number of…
CVE-2019-9515 — CVSS 7.5 (high): Some HTTP/2 implementations are vulnerable to a settings flood, potentially leading to a denial of service. The attacker sends a stream of…
CVE-2019-9517 — CVSS 7.5 (high): Some HTTP/2 implementations are vulnerable to unconstrained interal data buffering, potentially leading to a denial of service. The…
CVE-2019-9518 — CVSS 7.5 (high): Some HTTP/2 implementations are vulnerable to a flood of empty frames, potentially leading to a denial of service. The attacker sends a…
CVE-2020-8251 — CVSS 7.5 (high): Node.js < 14.11.0 is vulnerable to HTTP denial of service (DoS) attacks based on delayed requests submission which can make the server…
CVE-2020-8277 — CVSS 7.5 (high): A Node.js application that allows an attacker to trigger a DNS request for a host of their choice could trigger a Denial of Service in…
CVE-2021-22883 — CVSS 7.5 (high): Node.js before 10.24.0, 12.21.0, 14.16.0, and 15.10.0 is vulnerable to a denial of service attack when too many connection attempts with an…
CVE-2021-22884 — CVSS 7.5 (high): Node.js before 10.24.0, 12.21.0, 14.16.0, and 15.10.0 is vulnerable to DNS rebinding attacks as the whitelist includes “localhost6”…
CVE-2021-22940 — CVSS 7.5 (high): Node.js before 16.6.1, 14.17.5, and 12.22.5 is vulnerable to a use after free attack where an attacker might be able to exploit the memory…
CVE-2021-23840 — CVSS 7.5 (high): Calls to EVP_CipherUpdate, EVP_EncryptUpdate and EVP_DecryptUpdate may overflow the output length argument in some cases where the input…
CVE-2021-4044 — CVSS 7.5 (high): Internally libssl in OpenSSL calls X509_verify_cert() on the client side to verify a certificate supplied by a server. That function may…
CVE-2022-0778 — CVSS 7.5 (high): The BN_mod_sqrt() function, which computes a modular square root, contains a bug that can cause it to loop forever for non-prime moduli…
CVE-2022-3602 — CVSS 7.5 (high): A buffer overrun can be triggered in X.509 certificate verification, specifically in name constraint checking. Note that this occurs after…
CVE-2022-3786 — CVSS 7.5 (high): A buffer overrun can be triggered in X.509 certificate verification, specifically in name constraint checking. Note that this occurs after…
CVE-2023-23918 — CVSS 7.5 (high): A privilege escalation vulnerability exists in Node.js <19.6.1, <18.14.1, <16.19.1 and <14.21.3 that made it possible to bypass the…
CVE-2023-23919 — CVSS 7.5 (high): A cryptographic vulnerability exists in Node.js <19.2.0, <18.14.1, <16.19.1, <14.21.3 that in some cases did does not clear the OpenSSL…
CVE-2023-30581 — CVSS 7.5 (high): The use of __proto__ in process.mainModule.__proto__.require() can bypass the policy mechanism and require modules outside of the…
CVE-2023-30585 — CVSS 7.5 (high): A vulnerability has been identified in the Node.js (.msi version) installation process, specifically affecting Windows users who install…
CVE-2023-30586 — CVSS 7.5 (high): A privilege escalation vulnerability exists in Node.js 20 that allowed loading arbitrary OpenSSL engines when the experimental permission…
CVE-2023-30589 — CVSS 7.5 (high): The llhttp parser in the http module in Node v20.2.0 does not strictly use the CRLF sequence to delimit HTTP requests. This can lead to…
CVE-2023-30590 — CVSS 7.5 (high): The generateKeys() API function returned from crypto.createDiffieHellman() only generates missing (or outdated) keys, that is, it only…
CVE-2023-32558 — CVSS 7.5 (high): The use of the deprecated API `process.binding()` can bypass the permission model through path traversal. This vulnerability affects all…
CVE-2023-32559 — CVSS 7.5 (high): A privilege escalation vulnerability exists in the experimental policy mechanism in all active release lines: 16.x, 18.x and, 20.x. The use…
CVE-2023-38552 — CVSS 7.5 (high): When the Node.js policy feature checks the integrity of a resource against a trusted manifest, the application can intercept the operation…
CVE-2023-39331 — CVSS 7.5 (high): A previously disclosed vulnerability (CVE-2023-30584) was patched insufficiently in commit 205f1e6. The new path traversal vulnerability…
CVE-2024-22019 — CVSS 7.5 (high): A vulnerability in Node.js HTTP servers allows an attacker to send a specially crafted HTTP request with chunked encoding, leading to…
CVE-2025-59464 — CVSS 7.5 (high): A memory leak in Node.js’s OpenSSL integration occurs when converting `X.509` certificate fields to UTF-8 without freeing the allocated…
CVE-2025-59465 — CVSS 7.5 (high): A malformed `HTTP/2 HEADERS` frame with oversized, invalid `HPACK` data can cause Node.js to crash by triggering an unhandled `TLSSocket`…
CVE-2025-59466 — CVSS 7.5 (high): We have identified a bug in Node.js error handling where "Maximum call stack size exceeded" errors become uncatchable when…
CVE-2026-21637 — CVSS 7.5 (high): A flaw in Node.js TLS error handling allows remote attackers to crash or exhaust resources of a TLS server when `pskCallback` or…
CVE-2026-48615 — CVSS 7.5 (high): A flaw in Node.js proxy tunnel error handling could expose proxy credentials in `ERR_PROXY_TUNNEL` error messages. When proxy credentials…
CVE-2026-48619 — CVSS 7.5 (high): A flaw in Node.js HTTP/2 client allows a server to send an unlimited number of ORIGIN frames, which could lead to an Out of Memory error on…
CVE-2026-48933 — CVSS 7.5 (high): A flaw in Node.js WebCrypto implementation can crash the process if the input of `subtle.encrypt()` is a multiple of 2GiB. This…
CVE-2021-3450 — CVSS 7.4 (high): The X509_V_FLAG_X509_STRICT flag enables additional security checks of the certificates present in a certificate chain. It is not set by…
CVE-2014-0224 — CVSS 7.4 (high): OpenSSL before 0.9.8za, 1.0.0 before 1.0.0m, and 1.0.1 before 1.0.1h does not properly restrict processing of ChangeCipherSpec messages…
CVE-2021-44531 — CVSS 7.4 (high): Accepting arbitrary Subject Alternative Name (SAN) types, unless a PKI is specifically defined to use a particular SAN type, can result in…
CVE-2020-8201 — CVSS 7.4 (high): Node.js < 12.18.4 and < 14.11 can be exploited to perform HTTP desync attacks and deliver malicious payloads to unsuspecting users. The…
CVE-2020-8172 — CVSS 7.4 (high): TLS session reuse can lead to host certificate verification bypass in node version < 12.18.0 and < 14.4.0.
CVE-2022-32223 — CVSS 7.3 (high): Node.js is vulnerable to Hijack Execution Flow: DLL Hijacking under certain conditions on Windows platforms.This vulnerability can be…
CVE-2022-32213 — CVSS 6.5 (medium): The llhttp parser <v14.20.1, <v16.17.1 and <v18.9.1 in the http module in Node.js does not correctly parse and validate Transfer-Encoding…
CVE-2022-32214 — CVSS 6.5 (medium): The llhttp parser <v14.20.1, <v16.17.1 and <v18.9.1 in the http module in Node.js does not strictly use the CRLF sequence to delimit HTTP…
CVE-2022-32215 — CVSS 6.5 (medium): The llhttp parser <v14.20.1, <v16.17.1 and <v18.9.1 in the http module in Node.js does not correctly handle multi-line Transfer-Encoding…
CVE-2024-21890 — CVSS 6.5 (medium): The Node.js Permission Model does not clarify in the documentation that wildcards should be only used as the last character of a file path…
CVE-2022-35256 — CVSS 6.5 (medium): The llhttp parser in the http module in Node v18.7.0 does not correctly handle header fields that are not terminated with CLRF. This may…
CVE-2020-8287 — CVSS 6.5 (medium): Node.js versions before 10.23.1, 12.20.1, 14.15.4, 15.5.1 allow two copies of a header field in an HTTP request (for example, two…
CVE-2016-5172 — CVSS 6.5 (medium): The parser in Google V8, as used in Google Chrome before 53.0.2785.113, mishandles scopes, which allows remote attackers to obtain…
CVE-2017-16024 — CVSS 6.5 (medium): The sync-exec module is used to simulate child_process.execSync in node versions <0.11.9. Sync-exec uses tmp directories as a buffer before…
CVE-2019-9516 — CVSS 6.5 (medium): Some HTTP/2 implementations are vulnerable to a header leak, potentially leading to a denial of service. The attacker sends a stream of…
CVE-2023-23936 — CVSS 6.5 (medium): Undici is an HTTP/1.1 client for Node.js. Starting with version 2.0.0 and prior to version 5.19.1, the undici library does not protect…
CVE-2018-21270 — CVSS 6.5 (medium): Versions less than 0.0.6 of the Node.js stringstream module are vulnerable to an out-of-bounds read because of allocation of uninitialized…
CVE-2026-48618 — CVSS 6.5 (medium): A flaw in Node.js TLS hostname handling can cause Node.js unicode dot separator handling can lead to tls wildcard-depth authentication…
CVE-2015-2927 — CVSS 6.5 (medium): node 0.3.2 and URONode before 1.0.5r3 allows remote attackers to cause a denial of service (bandwidth consumption).
CVE-2013-7452 — CVSS 6.1 (medium): The validator module before 1.1.0 for Node.js allows remote attackers to bypass the cross-site scripting (XSS) filter via a crafted…
CVE-2014-9772 — CVSS 6.1 (medium): The validator package before 2.0.0 for Node.js allows remote attackers to bypass the cross-site scripting (XSS) filter via hex-encoded…
CVE-2016-5325 — CVSS 6.1 (medium): CRLF injection vulnerability in the ServerResponse#writeHead function in Node.js 0.10.x before 0.10.47, 0.12.x before 0.12.16, 4.x before…
CVE-2013-7454 — CVSS 6.1 (medium): The validator module before 1.1.0 for Node.js allows remote attackers to bypass the cross-site scripting (XSS) filter via nested forbidden…
CVE-2013-7453 — CVSS 6.1 (medium): The validator module before 1.1.0 for Node.js allows remote attackers to bypass the cross-site scripting (XSS) filter via vectors related…
CVE-2013-7451 — CVSS 6.1 (medium): The validator module before 1.1.0 for Node.js allows remote attackers to bypass the XSS filter via a nested tag.
CVE-2018-0735 — CVSS 5.9 (medium): The OpenSSL ECDSA signature algorithm has been shown to be vulnerable to a timing side channel attack. An attacker could use variations in…
CVE-2020-1971 — CVSS 5.9 (medium): The X.509 GeneralName type is a generic type for representing different types of names. One of those name types is known as EDIPartyName…
CVE-2019-1559 — CVSS 5.9 (medium): If an application encounters a fatal protocol error and then calls SSL_shutdown() twice (once to send a close_notify, and once to receive…
CVE-2021-3449 — CVSS 5.9 (medium): An OpenSSL TLS server may crash if sent a maliciously crafted renegotiation ClientHello message from a client. If a TLSv1.2 renegotiation…
CVE-2016-7055 — CVSS 5.9 (medium): There is a carry propagating bug in the Broadwell-specific Montgomery multiplication procedure in OpenSSL 1.0.2 and 1.1.0 before 1.1.0c…
CVE-2016-6306 — CVSS 5.9 (medium): The certificate parser in OpenSSL before 1.0.1u and 1.0.2 before 1.0.2i might allow remote attackers to cause a denial of service…
CVE-2018-0734 — CVSS 5.9 (medium): The OpenSSL DSA signature algorithm has been shown to be vulnerable to a timing side channel attack. An attacker could use variations in…
CVE-2016-7099 — CVSS 5.9 (medium): The tls.checkServerIdentity function in Node.js 0.10.x before 0.10.47, 0.12.x before 0.12.16, 4.x before 4.6.0, and 6.x before 6.7.0 does…
CVE-2016-2107 — CVSS 5.9 (medium): The AES-NI implementation in OpenSSL before 1.0.1t and 1.0.2 before 1.0.2h does not consider memory allocation during a certain padding…
CVE-2017-3732 — CVSS 5.9 (medium): There is a carry propagating bug in the x86_64 Montgomery squaring procedure in OpenSSL 1.0.2 before 1.0.2k and 1.1.0 before 1.1.0d. No EC…
CVE-2017-3738 — CVSS 5.9 (medium): There is an overflow bug in the AVX2 Montgomery multiplication procedure used in exponentiation with 1024-bit moduli. No EC algorithms are…
CVE-2021-3672 — CVSS 5.6 (medium): A flaw was found in c-ares library, where a missing input validation check of host names returned by DNS (Domain Name Servers) can lead to…
CVE-2025-23084 — CVSS 5.5 (medium): A vulnerability has been identified in Node.js, specifically affecting the handling of drive names in the Windows environment. Certain…
CVE-2016-2178 — CVSS 5.5 (medium): The dsa_sign_setup function in crypto/dsa/dsa_ossl.c in OpenSSL through 1.0.2h does not properly ensure the use of constant-time…
CVE-2026-48928 — CVSS 5.4 (medium): A inconsistency in Node.js hostname matching can cause a trust-policy bypass in multi-context mTLS setups. This vulnerability affects all…
CVE-2021-22939 — CVSS 5.3 (medium): If the Node.js https API was used incorrectly and "undefined" was in passed for the "rejectUnauthorized" parameter, no error was returned…
CVE-2021-44532 — CVSS 5.3 (medium): Node.js < 12.22.9, < 14.18.3, < 16.13.2, and < 17.3.1 converts SANs (Subject Alternative Names) to a string format. It uses this string to…
CVE-2021-22918 — CVSS 5.3 (medium): Node.js before 16.4.1, 14.17.2, 12.22.2 is vulnerable to an out-of-bounds read when uv__idna_toascii() is used to convert strings to ASCII…
CVE-2022-32222 — CVSS 5.3 (medium): A cryptographic vulnerability exists on Node.js on linux in versions of 18.x prior to 18.40.0 which allowed a default path for openssl.cnf…
CVE-2023-32003 — CVSS 5.3 (medium): `fs.mkdtemp()` and `fs.mkdtempSync()` can be used to bypass the permission model check using a path traversal attack. This flaw arises from…
CVE-2021-44533 — CVSS 5.3 (medium): Node.js < 12.22.9, < 14.18.3, < 16.13.2, and < 17.3.1 did not handle multi-value Relative Distinguished Names correctly. Attackers could…
CVE-2023-32005 — CVSS 5.3 (medium): A vulnerability has been identified in Node.js version 20, affecting users of the experimental permission model when the --allow-fs-read…
CVE-2023-30588 — CVSS 5.3 (medium): When an invalid public key is used to create an x509 certificate using the crypto.X509Certificate() API a non-expect termination occurs…
CVE-2018-7159 — CVSS 5.3 (medium): The HTTP parser in all current versions of Node.js ignores spaces in the `Content-Length` header, allowing input such as `Content-Length: 1…
CVE-2025-55132 — CVSS 5.3 (medium): A flaw in Node.js's permission model allows a file's access and modification timestamps to be changed via `futimes()` even when the process…
CVE-2016-0702 — CVSS 5.1 (medium): The MOD_EXP_CTIME_COPY_FROM_PREBUF function in crypto/bn/bn_exp.c in OpenSSL 1.0.1 before 1.0.1s and 1.0.2 before 1.0.2g does not properly…
CVE-2014-7191 — CVSS 5.0 (medium): The qs module before 1.0.0 in Node.js does not call the compact function for array data, which allows remote attackers to cause a denial of…
CVE-2018-5407 — CVSS 4.7 (medium): Simultaneous Multi-threading (SMT) in processors can enable local users to exploit software vulnerable to timing attacks via a side-channel…
CVE-2018-12123 — CVSS 4.3 (medium): Node.js: All versions prior to Node.js 6.15.0, 8.14.0, 10.14.0 and 11.3.0: Hostname spoofing in URL parser for javascript protocol: If a…
CVE-2026-48934 — CVSS 4.3 (medium): A flaw in Node.js TLS host verification can cause an attacker to bypass certification validation. This vulnerability affects all supported…
CVE-2023-23920 — CVSS 4.2 (medium): An untrusted search path vulnerability exists in Node.js. <19.6.1, <18.14.1, <16.19.1, and <14.21.3 that could allow an attacker to search…
CVE-2026-48931 — CVSS 3.7 (low): A flaw in Node.js HTTP Agent can cause a client to accept as valid a response that is send before the client has sent the request. This…
CVE-2020-11080 — CVSS 3.7 (low): In nghttp2 before version 1.41.0, the overly large HTTP/2 SETTINGS frame payload causes denial of service. The proof of concept attack…
CVE-2026-48936 — CVSS 3.3 (low): A flaw in Node.js Permission API can cause a local server to be started (via a Unix domain socket), even without the `--allow-net`…
CVE-2026-48935 — CVSS 3.3 (low): A flaw in Node.js Permission API can cause a file metadata to be modified even on a path that was set as read-only with e.g…
CVE-2017-15897 — CVSS 3.1 (low): Node.js had a bug in versions 8.X and 9.X which caused buffers to not be initialized when the encoding for the fill value did not match the…