nodejs
Don't miss out!
Thousands of developers use stack.watch to stay informed.Get an email whenever new security vulnerabilities are reported in nodejs.
By the Year
In 2026 there have been 0 vulnerabilities in nodejs. Last year, in 2025 Nodejs had 1 security vulnerability published. Right now, Nodejs is on track to have less security vulnerabilities in 2026 than it did last year.
| Year | Vulnerabilities | Average Score |
|---|---|---|
| 2026 | 0 | 0.00 |
| 2025 | 1 | 0.00 |
| 2024 | 4 | 7.50 |
| 2023 | 3 | 7.50 |
It may take a day or so for new Nodejs vulnerabilities to show up in the stats or in the list of recent security vulnerabilities. Additionally vulnerabilities may be tagged under a different product or component name.
Recent nodejs Security Vulnerabilities
Node.js path.join vulnerability: Windows device name DOS via CON/PRN/AUX
CVE-2025-27210
- July 18, 2025
An incomplete fix has been identified for CVE-2025-23084 in Node.js, specifically affecting Windows device names like CON, PRN, and AUX. This vulnerability affects Windows users of `path.join` API.
Directory traversal
Node.js Wasm Export Name Injection via --experimental-wasm-modules
CVE-2023-39333
5.3 - Medium
- September 07, 2024
Maliciously crafted export names in an imported WebAssembly module can inject JavaScript code. The injected code may be able to access data and functions that the WebAssembly module itself does not have access to, similar to as if the WebAssembly module was a JavaScript module. This vulnerability affects users of any active release line of Node.js. The vulnerable feature is only available if Node.js is started with the `--experimental-wasm-modules` command line option.
Code Injection
Node.js unpatched with OpenSSL vulnerable to Marvin Attack
CVE-2023-46809
7.4 - High
- September 07, 2024
Node.js versions which bundle an unpatched version of OpenSSL or run against a dynamically linked version of OpenSSL which are unpatched are vulnerable to the Marvin Attack - https://people.redhat.com/~hkario/marvin/, if PCKS #1 v1.5 padding is allowed when performing RSA descryption using a private key.
Covert Timing Channel
CVE-2024-3566: CreateProcessBased Command Injection in Windows Apps
CVE-2024-3566
9.8 - Critical
- April 10, 2024
A command inject vulnerability allows an attacker to perform command injection on Windows applications that indirectly depend on the CreateProcess function when the specific conditions are satisfied.
Node.js HTTP/2 DoS via header frame race condition
CVE-2024-27983
- April 09, 2024
An attacker can make the Node.js HTTP/2 server completely unavailable by sending a small amount of HTTP/2 frames packets with a few HTTP/2 frames inside. It is possible to leave some data in nghttp2 memory after reset when headers with HTTP/2 CONTINUATION frame are sent to the server and then a TCP connection is abruptly closed by the client triggering the Http2Session destructor while header frames are still being processed (and stored in memory) causing a race condition.
Race Condition
Node.js Policy Integrity Check Bypass via Forged Checksum
CVE-2023-38552
- October 18, 2023
When the Node.js policy feature checks the integrity of a resource against a trusted manifest, the application can intercept the operation and return a forged checksum to the node's policy implementation, thus effectively disabling the integrity check. Impacts: This vulnerability affects all users using the experimental policy mechanism in all active release lines: 18.x and, 20.x. Please note that at the time this CVE was issued, the policy mechanism is an experimental feature of Node.js.
Node.js 20.x Bypass Perm. Model via process.binding() Path Traversal
CVE-2023-32558
7.5 - High
- September 12, 2023
The use of the deprecated API `process.binding()` can bypass the permission model through path traversal. This vulnerability affects all users using the experimental permission model in Node.js 20.x. Please note that at the time this CVE was issued, the permission model is an experimental feature of Node.js.
Directory traversal
Node.js Privilege Escalation via Deprecated process.binding API
CVE-2023-32559
7.5 - High
- August 24, 2023
A privilege escalation vulnerability exists in the experimental policy mechanism in all active release lines: 16.x, 18.x and, 20.x. The use of the deprecated API `process.binding()` can bypass the policy mechanism by requiring internal modules and eventually take advantage of `process.binding('spawn_sync')` run arbitrary code, outside of the limits defined in a `policy.json` file. Please note that at the time this CVE was issued, the policy is an experimental feature of Node.js.
Improper Privilege Management
The Update method in src/node_http_parser.cc in Node.js before 0.6.17 and 0.7 before 0.7.8 does not properly check the length of a string, which
CVE-2012-2330
- August 13, 2012
The Update method in src/node_http_parser.cc in Node.js before 0.6.17 and 0.7 before 0.7.8 does not properly check the length of a string, which allows remote attackers to obtain sensitive information (request header contents) and possibly spoof HTTP headers via a zero length string.
Improper Input Validation
