Node.js — программная платформа, основанная на движке V8 (компилирующем JavaScript в машинный код)
Релизный цикл, информация об уязвимостях
График релизов
Количество 1 024
CVE-2023-23936
Undici is an HTTP/1.1 client for Node.js. Starting with version 2.0.0 and prior to version 5.19.1, the undici library does not protect `host` HTTP header from CRLF injection vulnerabilities. This issue is patched in Undici v5.19.1. As a workaround, sanitize the `headers.host` string before passing to undici.
CVE-2023-23936
Undici is an HTTP/1.1 client for Node.js. Starting with version 2.0.0 ...
CVE-2023-23936
Undici is an HTTP/1.1 client for Node.js. Starting with version 2.0.0 and prior to version 5.19.1, the undici library does not protect `host` HTTP header from CRLF injection vulnerabilities. This issue is patched in Undici v5.19.1. As a workaround, sanitize the `headers.host` string before passing to undici.
CVE-2023-23919
A cryptographic vulnerability exists in Node.js <19.2.0, <18.14.1, <16.19.1, <14.21.3 that in some cases did does not clear the OpenSSL error stack after operations that may set it. This may lead to false positive errors during subsequent cryptographic operations that happen to be on the same thread. This in turn could be used to cause a denial of service.
CVE-2023-23936
Undici is an HTTP/1.1 client for Node.js. Starting with version 2.0.0 and prior to version 5.19.1, the undici library does not protect `host` HTTP header from CRLF injection vulnerabilities. This issue is patched in Undici v5.19.1. As a workaround, sanitize the `headers.host` string before passing to undici.
CVE-2023-23920
An untrusted search path vulnerability exists in Node.js. <19.6.1, <18.14.1, <16.19.1, and <14.21.3 that could allow an attacker to search and potentially load ICU data when running with elevated privileges.
CVE-2023-23918
A privilege escalation vulnerability exists in Node.js <19.6.1, <18.14.1, <16.19.1 and <14.21.3 that made it possible to bypass the experimental Permissions (https://nodejs.org/api/permissions.html) feature in Node.js and access non authorized modules by using process.mainModule.require(). This only affects users who had enabled the experimental permissions option with --experimental-policy.
BDU:2023-01627
Уязвимость функции process.mainModule.require() программной платформы Node.js, позволяющая нарушителю повысить свои привилегии
BDU:2023-01626
Уязвимость программной платформы Node.js, связанная с ошибками шифрования данных, позволяющая нарушителю вызвать отказ в обслуживании
BDU:2023-02655
Уязвимость программной платформы Node.js, связанная с использованием ненадёжного пути поиска, позволяющая нарушителю повысить свои привилегии
Уязвимостей на страницу
Уязвимость | CVSS | EPSS | Опубликовано 1 | |
|---|---|---|---|---|
 | CVE-2023-23936 Undici is an HTTP/1.1 client for Node.js. Starting with version 2.0.0 and prior to version 5.19.1, the undici library does not protect `host` HTTP header from CRLF injection vulnerabilities. This issue is patched in Undici v5.19.1. As a workaround, sanitize the `headers.host` string before passing to undici. | CVSS3: 6.5 | 1% Низкий | больше 2 лет назад |
| CVE-2023-23936 Undici is an HTTP/1.1 client for Node.js. Starting with version 2.0.0 ... | CVSS3: 6.5 | 1% Низкий | больше 2 лет назад |
 | CVE-2023-23936 Undici is an HTTP/1.1 client for Node.js. Starting with version 2.0.0 and prior to version 5.19.1, the undici library does not protect `host` HTTP header from CRLF injection vulnerabilities. This issue is patched in Undici v5.19.1. As a workaround, sanitize the `headers.host` string before passing to undici. | CVSS3: 6.5 | 1% Низкий | больше 2 лет назад |
 | CVE-2023-23919 A cryptographic vulnerability exists in Node.js <19.2.0, <18.14.1, <16.19.1, <14.21.3 that in some cases did does not clear the OpenSSL error stack after operations that may set it. This may lead to false positive errors during subsequent cryptographic operations that happen to be on the same thread. This in turn could be used to cause a denial of service. | CVSS3: 7.5 | 1% Низкий | больше 2 лет назад |
| CVE-2023-23936 Undici is an HTTP/1.1 client for Node.js. Starting with version 2.0.0 and prior to version 5.19.1, the undici library does not protect `host` HTTP header from CRLF injection vulnerabilities. This issue is patched in Undici v5.19.1. As a workaround, sanitize the `headers.host` string before passing to undici. | CVSS3: 6.5 | 1% Низкий | больше 2 лет назад |
| CVE-2023-23920 An untrusted search path vulnerability exists in Node.js. <19.6.1, <18.14.1, <16.19.1, and <14.21.3 that could allow an attacker to search and potentially load ICU data when running with elevated privileges. | CVSS3: 4.2 | 0% Низкий | больше 2 лет назад |
| CVE-2023-23918 A privilege escalation vulnerability exists in Node.js <19.6.1, <18.14.1, <16.19.1 and <14.21.3 that made it possible to bypass the experimental Permissions (https://nodejs.org/api/permissions.html) feature in Node.js and access non authorized modules by using process.mainModule.require(). This only affects users who had enabled the experimental permissions option with --experimental-policy. | CVSS3: 7.5 | 0% Низкий | больше 2 лет назад |
 | BDU:2023-01627 Уязвимость функции process.mainModule.require() программной платформы Node.js, позволяющая нарушителю повысить свои привилегии | CVSS3: 7.5 | 0% Низкий | больше 2 лет назад |
| BDU:2023-01626 Уязвимость программной платформы Node.js, связанная с ошибками шифрования данных, позволяющая нарушителю вызвать отказ в обслуживании | CVSS3: 7.5 | 1% Низкий | больше 2 лет назад |
| BDU:2023-02655 Уязвимость программной платформы Node.js, связанная с использованием ненадёжного пути поиска, позволяющая нарушителю повысить свои привилегии | CVSS3: 4.2 | 0% Низкий | больше 2 лет назад |
Уязвимостей на страницу