nodejs Evented IO for v8 JavaScript
Products by nodejs Sorted by Most Security Vulnerabilities since 2018
Recent nodejs Security Advisories
| Advisory | Title | Published |
|---|---|---|
| 2023-07-31 | Tuesday August 8th 2023 Security Releases | July 31, 2023 |
| 2023-07-31 | Tuesday August 8th 2023 Security Releases | July 31, 2023 |
| 2023-06-20 | Tuesday June 20 2023 Security Releases | June 20, 2023 |
| 2023-06-13 | Tuesday June 20 2023 Security Releases | June 13, 2023 |
| 2023-02-16 | Thursday February 16 2023 Security Releases | February 16, 2023 |
| 2023-02-16 | Thursday February 16 2023 Security Releases | February 16, 2023 |
| 2023-02-07 | Tuesday February 14 2023 Security Releases | February 7, 2023 |
| 2022-12-16 | OpenSSL 3.0.7 update assessment | December 16, 2022 |
| 2022-12-16 | OpenSSL 3.0.7 update assessment | December 16, 2022 |
| 2022-12-16 | OpenSSL 3.0.7 update assessment | December 16, 2022 |
By the Year
In 2023 there have been 14 vulnerabilities in nodejs with an average score of 7.2 out of ten. Last year nodejs had 28 security vulnerabilities published. Right now, nodejs is on track to have less security vulnerabilities in 2023 than it did last year. Last year, the average CVE base score was greater by 0.10
| Year | Vulnerabilities | Average Score |
|---|---|---|
| 2023 | 14 | 7.15 |
| 2022 | 28 | 7.25 |
| 2021 | 27 | 7.40 |
| 2020 | 15 | 7.96 |
| 2019 | 14 | 6.69 |
| 2018 | 20 | 6.95 |
It may take a day or so for new nodejs vulnerabilities to show up in the stats or in the list of recent security vulnerabilties. Additionally vulnerabilities may be tagged under a different product or component name.
Recent nodejs Security Vulnerabilities
The use of the deprecated API `process.binding()` can bypass the permission model through path traversal
CVE-2023-32558
7.5 - High
- September 12, 2023
The use of the deprecated API `process.binding()` can bypass the permission model through path traversal. This vulnerability affects all users using the experimental permission model in Node.js 20.x. Please note that at the time this CVE was issued, the permission model is an experimental feature of Node.js.
Directory traversal
A vulnerability has been identified in Node.js version 20, affecting users of the experimental permission model when the --
CVE-2023-32005
5.3 - Medium
- September 12, 2023
A vulnerability has been identified in Node.js version 20, affecting users of the experimental permission model when the --allow-fs-read flag is used with a non-* argument. This flaw arises from an inadequate permission model that fails to restrict file stats through the `fs.statfs` API. As a result, malicious actors can retrieve stats from files that they do not have explicit read access to. This vulnerability affects all users using the experimental permission model in Node.js 20. Please note that at the time this CVE was issued, the permission model is an experimental feature of Node.js.
Incorrect Permission Assignment for Critical Resource
A privilege escalation vulnerability exists in the experimental policy mechanism in all active release lines: 16.x, 18.x and, 20.x
CVE-2023-32559
7.5 - High
- August 24, 2023
A privilege escalation vulnerability exists in the experimental policy mechanism in all active release lines: 16.x, 18.x and, 20.x. The use of the deprecated API `process.binding()` can bypass the policy mechanism by requiring internal modules and eventually take advantage of `process.binding('spawn_sync')` run arbitrary code, outside of the limits defined in a `policy.json` file. Please note that at the time this CVE was issued, the policy is an experimental feature of Node.js.
Improper Privilege Management
The use of `Module._load()` can bypass the policy mechanism
CVE-2023-32002
9.8 - Critical
- August 21, 2023
The use of `Module._load()` can bypass the policy mechanism and require modules outside of the policy.json definition for a given module. This vulnerability affects all users using the experimental policy mechanism in all active release lines: 16.x, 18.x and, 20.x. Please note that at the time this CVE was issued, the policy is an experimental feature of Node.js.
`fs.mkdtemp()` and `fs.mkdtempSync()` can be used to bypass the permission model check using a path traversal attack
CVE-2023-32003
5.3 - Medium
- August 15, 2023
`fs.mkdtemp()` and `fs.mkdtempSync()` can be used to bypass the permission model check using a path traversal attack. This flaw arises from a missing check in the fs.mkdtemp() API and the impact is a malicious actor could create an arbitrary directory. This vulnerability affects all users using the experimental permission model in Node.js 20. Please note that at the time this CVE was issued, the permission model is an experimental feature of Node.js.
Directory traversal
A vulnerability has been discovered in Node.js version 20, specifically within the experimental permission model
CVE-2023-32004
8.8 - High
- August 15, 2023
A vulnerability has been discovered in Node.js version 20, specifically within the experimental permission model. This flaw relates to improper handling of Buffers in file system APIs causing a traversal path to bypass when verifying file permissions. This vulnerability affects all users using the experimental permission model in Node.js 20. Please note that at the time this CVE was issued, the permission model is an experimental feature of Node.js.
Directory traversal
The use of `module.constructor.createRequire()`
CVE-2023-32006
8.8 - High
- August 15, 2023
The use of `module.constructor.createRequire()` can bypass the policy mechanism and require modules outside of the policy.json definition for a given module. This vulnerability affects all users using the experimental policy mechanism in all active release lines: 16.x, 18.x, and, 20.x. Please note that at the time this CVE was issued, the policy is an experimental feature of Node.js.
A privilege escalation vulnerability exists in Node.js 20
CVE-2023-30586
7.5 - High
- July 01, 2023
A privilege escalation vulnerability exists in Node.js 20 that allowed loading arbitrary OpenSSL engines when the experimental permission model is enabled, which can bypass and/or disable the permission model. The attack complexity is high. However, the crypto.setEngine() API can be used to bypass the permission model when called with a compatible OpenSSL engine. The OpenSSL engine can, for example, disable the permission model in the host process by manipulating the process's stack memory to locate the permission model Permission::enabled_ in the host process's heap memory. Please note that at the time this CVE was issued, the permission model is an experimental feature of Node.js.
AuthZ
The llhttp parser in the http module in Node v20.2.0 does not strictly use the CRLF sequence to delimit HTTP requests
CVE-2023-30589
7.5 - High
- July 01, 2023
The llhttp parser in the http module in Node v20.2.0 does not strictly use the CRLF sequence to delimit HTTP requests. This can lead to HTTP Request Smuggling (HRS). The CR character (without LF) is sufficient to delimit HTTP header fields in the llhttp parser. According to RFC7230 section 3, only the CRLF sequence should delimit each header-field. This impacts all Node.js active versions: v16, v18, and, v20
A cryptographic vulnerability exists in Node.js <19.2.0, <18.14.1, <16.19.1, <14.21.3
CVE-2023-23919
7.5 - High
- February 23, 2023
A cryptographic vulnerability exists in Node.js <19.2.0, <18.14.1, <16.19.1, <14.21.3 that in some cases did does not clear the OpenSSL error stack after operations that may set it. This may lead to false positive errors during subsequent cryptographic operations that happen to be on the same thread. This in turn could be used to cause a denial of service.
A privilege escalation vulnerability exists in Node.js <19.6.1, <18.14.1, <16.19.1 and <14.21.3
CVE-2023-23918
7.5 - High
- February 23, 2023
A privilege escalation vulnerability exists in Node.js <19.6.1, <18.14.1, <16.19.1 and <14.21.3 that made it possible to bypass the experimental Permissions (https://nodejs.org/api/permissions.html) feature in Node.js and access non authorized modules by using process.mainModule.require(). This only affects users who had enabled the experimental permissions option with --experimental-policy.
AuthZ
An untrusted search path vulnerability exists in Node.js
CVE-2023-23920
4.2 - Medium
- February 23, 2023
An untrusted search path vulnerability exists in Node.js. <19.6.1, <18.14.1, <16.19.1, and <14.21.3 that could allow an attacker to search and potentially load ICU data when running with elevated privileges.
Untrusted Path
Undici is an HTTP/1.1 client for Node.js
CVE-2023-24807
7.5 - High
- February 16, 2023
Undici is an HTTP/1.1 client for Node.js. Prior to version 5.19.1, the `Headers.set()` and `Headers.append()` methods are vulnerable to Regular Expression Denial of Service (ReDoS) attacks when untrusted values are passed into the functions. This is due to the inefficient regular expression used to normalize the values in the `headerValueNormalize()` utility function. This vulnerability was patched in v5.19.1. No known workarounds are available.
ReDoS
Undici is an HTTP/1.1 client for Node.js
CVE-2023-23936
5.4 - Medium
- February 16, 2023
Undici is an HTTP/1.1 client for Node.js. Starting with version 2.0.0 and prior to version 5.19.1, the undici library does not protect `host` HTTP header from CRLF injection vulnerabilities. This issue is patched in Undici v5.19.1. As a workaround, sanitize the `headers.host` string before passing to undici.
Injection
If an X.509 certificate contains a malformed policy constraint and policy processing is enabled
CVE-2022-3996
7.5 - High
- December 13, 2022
If an X.509 certificate contains a malformed policy constraint and policy processing is enabled, then a write lock will be taken twice recursively. On some operating systems (most widely: Windows) this results in a denial of service when the affected process hangs. Policy processing being enabled on a publicly facing server is not considered to be a common setup. Policy processing is enabled by passing the `-policy' argument to the command line utilities or by calling the `X509_VERIFY_PARAM_set1_policies()' function. Update (31 March 2023): The description of the policy processing enablement was corrected based on CVE-2023-0466.
Improper Locking
If an X.509 certificate contains a malformed policy constraint and policy processing is enabled
CVE-2022-3996
7.5 - High
- December 13, 2022
If an X.509 certificate contains a malformed policy constraint and policy processing is enabled, then a write lock will be taken twice recursively. On some operating systems (most widely: Windows) this results in a denial of service when the affected process hangs. Policy processing being enabled on a publicly facing server is not considered to be a common setup. Policy processing is enabled by passing the `-policy' argument to the command line utilities or by calling the `X509_VERIFY_PARAM_set1_policies()' function. Update (31 March 2023): The description of the policy processing enablement was corrected based on CVE-2023-0466.
Improper Locking
If an X.509 certificate contains a malformed policy constraint and policy processing is enabled
CVE-2022-3996
7.5 - High
- December 13, 2022
If an X.509 certificate contains a malformed policy constraint and policy processing is enabled, then a write lock will be taken twice recursively. On some operating systems (most widely: Windows) this results in a denial of service when the affected process hangs. Policy processing being enabled on a publicly facing server is not considered to be a common setup. Policy processing is enabled by passing the `-policy' argument to the command line utilities or by calling the `X509_VERIFY_PARAM_set1_policies()' function. Update (31 March 2023): The description of the policy processing enablement was corrected based on CVE-2023-0466.
Improper Locking
If an X.509 certificate contains a malformed policy constraint and policy processing is enabled
CVE-2022-3996
7.5 - High
- December 13, 2022
If an X.509 certificate contains a malformed policy constraint and policy processing is enabled, then a write lock will be taken twice recursively. On some operating systems (most widely: Windows) this results in a denial of service when the affected process hangs. Policy processing being enabled on a publicly facing server is not considered to be a common setup. Policy processing is enabled by passing the `-policy' argument to the command line utilities or by calling the `X509_VERIFY_PARAM_set1_policies()' function. Update (31 March 2023): The description of the policy processing enablement was corrected based on CVE-2023-0466.
Improper Locking
A weak randomness in WebCrypto keygen vulnerability exists in Node.js 18 due to a change with EntropySource() in SecretKeyGenTraits::DoKeyGen() in src/crypto/crypto_keygen.cc
CVE-2022-35255
9.1 - Critical
- December 05, 2022
A weak randomness in WebCrypto keygen vulnerability exists in Node.js 18 due to a change with EntropySource() in SecretKeyGenTraits::DoKeyGen() in src/crypto/crypto_keygen.cc. There are two problems with this: 1) It does not check the return value, it assumes EntropySource() always succeeds, but it can (and sometimes will) fail. 2) The random data returned byEntropySource() may not be cryptographically strong and therefore not suitable as keying material.
PRNG
A OS Command Injection vulnerability exists in Node.js versions <14.21.1, <16.18.1, <18.12.1, <19.0.1 due to an insufficient IsAllowedHost check
CVE-2022-43548
8.1 - High
- December 05, 2022
A OS Command Injection vulnerability exists in Node.js versions <14.21.1, <16.18.1, <18.12.1, <19.0.1 due to an insufficient IsAllowedHost check that can easily be bypassed because IsIPAddress does not properly check if an IP address is invalid before making DBS requests allowing rebinding attacks.The fix for this issue in https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-32212 was incomplete and this new CVE is to complete the fix.
Shell injection