Node.js — программная платформа, основанная на движке V8 (компилирующем JavaScript в машинный код)
Релизный цикл, информация об уязвимостях
График релизов
Количество 1 090
CVE-2023-23920
An untrusted search path vulnerability exists in Node.js. <19.6.1, <18 ...
CVE-2023-23919
A cryptographic vulnerability exists in Node.js <19.2.0, <18.14.1, <16.19.1, <14.21.3 that in some cases did does not clear the OpenSSL error stack after operations that may set it. This may lead to false positive errors during subsequent cryptographic operations that happen to be on the same thread. This in turn could be used to cause a denial of service.
CVE-2023-23919
A cryptographic vulnerability exists in Node.js <19.2.0, <18.14.1, <16 ...
CVE-2023-23918
A privilege escalation vulnerability exists in Node.js <19.6.1, <18.14.1, <16.19.1 and <14.21.3 that made it possible to bypass the experimental Permissions (https://nodejs.org/api/permissions.html) feature in Node.js and access non authorized modules by using process.mainModule.require(). This only affects users who had enabled the experimental permissions option with --experimental-policy.
CVE-2023-23918
A privilege escalation vulnerability exists in Node.js <19.6.1, <18.14 ...
CVE-2023-23920
An untrusted search path vulnerability exists in Node.js. <19.6.1, <18.14.1, <16.19.1, and <14.21.3 that could allow an attacker to search and potentially load ICU data when running with elevated privileges.
CVE-2023-23918
A privilege escalation vulnerability exists in Node.js <19.6.1, <18.14.1, <16.19.1 and <14.21.3 that made it possible to bypass the experimental Permissions (https://nodejs.org/api/permissions.html) feature in Node.js and access non authorized modules by using process.mainModule.require(). This only affects users who had enabled the experimental permissions option with --experimental-policy.
CVE-2023-23919
A cryptographic vulnerability exists in Node.js <19.2.0, <18.14.1, <16.19.1, <14.21.3 that in some cases did does not clear the OpenSSL error stack after operations that may set it. This may lead to false positive errors during subsequent cryptographic operations that happen to be on the same thread. This in turn could be used to cause a denial of service.
GHSA-5r9g-qh6m-jxff
CRLF Injection in Nodejs ‘undici’ via host
CVE-2023-23936
Undici is an HTTP/1.1 client for Node.js. Starting with version 2.0.0 and prior to version 5.19.1, the undici library does not protect `host` HTTP header from CRLF injection vulnerabilities. This issue is patched in Undici v5.19.1. As a workaround, sanitize the `headers.host` string before passing to undici.
Уязвимостей на страницу
Уязвимость | CVSS | EPSS | Опубликовано 1 | |
|---|---|---|---|---|
| CVE-2023-23920 An untrusted search path vulnerability exists in Node.js. <19.6.1, <18 ... | CVSS3: 4.2 | 0% Низкий | около 3 лет назад |
 | CVE-2023-23919 A cryptographic vulnerability exists in Node.js <19.2.0, <18.14.1, <16.19.1, <14.21.3 that in some cases did does not clear the OpenSSL error stack after operations that may set it. This may lead to false positive errors during subsequent cryptographic operations that happen to be on the same thread. This in turn could be used to cause a denial of service. | CVSS3: 7.5 | 1% Низкий | около 3 лет назад |
| CVE-2023-23919 A cryptographic vulnerability exists in Node.js <19.2.0, <18.14.1, <16 ... | CVSS3: 7.5 | 1% Низкий | около 3 лет назад |
| CVE-2023-23918 A privilege escalation vulnerability exists in Node.js <19.6.1, <18.14.1, <16.19.1 and <14.21.3 that made it possible to bypass the experimental Permissions (https://nodejs.org/api/permissions.html) feature in Node.js and access non authorized modules by using process.mainModule.require(). This only affects users who had enabled the experimental permissions option with --experimental-policy. | CVSS3: 7.5 | 0% Низкий | около 3 лет назад |
| CVE-2023-23918 A privilege escalation vulnerability exists in Node.js <19.6.1, <18.14 ... | CVSS3: 7.5 | 0% Низкий | около 3 лет назад |
 | CVE-2023-23920 An untrusted search path vulnerability exists in Node.js. <19.6.1, <18.14.1, <16.19.1, and <14.21.3 that could allow an attacker to search and potentially load ICU data when running with elevated privileges. | CVSS3: 4.2 | 0% Низкий | около 3 лет назад |
| CVE-2023-23918 A privilege escalation vulnerability exists in Node.js <19.6.1, <18.14.1, <16.19.1 and <14.21.3 that made it possible to bypass the experimental Permissions (https://nodejs.org/api/permissions.html) feature in Node.js and access non authorized modules by using process.mainModule.require(). This only affects users who had enabled the experimental permissions option with --experimental-policy. | CVSS3: 7.5 | 0% Низкий | около 3 лет назад |
| CVE-2023-23919 A cryptographic vulnerability exists in Node.js <19.2.0, <18.14.1, <16.19.1, <14.21.3 that in some cases did does not clear the OpenSSL error stack after operations that may set it. This may lead to false positive errors during subsequent cryptographic operations that happen to be on the same thread. This in turn could be used to cause a denial of service. | CVSS3: 7.5 | 1% Низкий | около 3 лет назад |
| GHSA-5r9g-qh6m-jxff CRLF Injection in Nodejs ‘undici’ via host | CVSS3: 4.6 | 1% Низкий | около 3 лет назад |
| CVE-2023-23936 Undici is an HTTP/1.1 client for Node.js. Starting with version 2.0.0 and prior to version 5.19.1, the undici library does not protect `host` HTTP header from CRLF injection vulnerabilities. This issue is patched in Undici v5.19.1. As a workaround, sanitize the `headers.host` string before passing to undici. | CVSS3: 6.5 | 1% Низкий | около 3 лет назад |
Уязвимостей на страницу