Node.js — программная платформа, основанная на движке V8 (компилирующем JavaScript в машинный код)

Релизный цикл, информация об уязвимостях

Продукт: Node.js

Вендор: nodejs

График релизов

Недавние уязвимости Node.js

Количество 1 064

CVE-2022-32215

больше 3 лет назад

The llhttp parser <v14.20.1, <v16.17.1 and <v18.9.1 in the http module in Node.js does not correctly handle multi-line Transfer-Encoding headers. This can lead to HTTP Request Smuggling (HRS).

CVSS3: 6.5

EPSS: Высокий

CVE-2022-32215

больше 3 лет назад

The llhttp parser <v14.20.1, <v16.17.1 and <v18.9.1 in the http module ...

CVSS3: 6.5

EPSS: Высокий

CVE-2022-32214

больше 3 лет назад

The llhttp parser <v14.20.1, <v16.17.1 and <v18.9.1 in the http module in Node.js does not strictly use the CRLF sequence to delimit HTTP requests. This can lead to HTTP Request Smuggling (HRS).

CVSS3: 6.5

EPSS: Средний

CVE-2022-32214

больше 3 лет назад

The llhttp parser <v14.20.1, <v16.17.1 and <v18.9.1 in the http module ...

CVSS3: 6.5

EPSS: Средний

CVE-2022-32213

больше 3 лет назад

The llhttp parser <v14.20.1, <v16.17.1 and <v18.9.1 in the http module in Node.js does not correctly parse and validate Transfer-Encoding headers and can lead to HTTP Request Smuggling (HRS).

CVSS3: 6.5

EPSS: Высокий

CVE-2022-32213

больше 3 лет назад

The llhttp parser <v14.20.1, <v16.17.1 and <v18.9.1 in the http module ...

CVSS3: 6.5

EPSS: Высокий

CVE-2022-32212

больше 3 лет назад

A OS Command Injection vulnerability exists in Node.js versions <14.20.0, <16.20.0, <18.5.0 due to an insufficient IsAllowedHost check that can easily be bypassed because IsIPAddress does not properly check if an IP address is invalid before making DBS requests allowing rebinding attacks.

CVSS3: 8.1

EPSS: Низкий

CVE-2022-32212

больше 3 лет назад

A OS Command Injection vulnerability exists in Node.js versions <14.20 ...

CVSS3: 8.1

EPSS: Низкий

CVE-2022-32223

больше 3 лет назад

Node.js is vulnerable to Hijack Execution Flow: DLL Hijacking under certain conditions on Windows platforms.This vulnerability can be exploited if the victim has the following dependencies on a Windows machine:* OpenSSL has been installed and “C:\Program Files\Common Files\SSL\openssl.cnf” exists.Whenever the above conditions are present, `node.exe` will search for `providers.dll` in the current user directory.After that, `node.exe` will try to search for `providers.dll` by the DLL Search Order in Windows.It is possible for an attacker to place the malicious file `providers.dll` under a variety of paths and exploit this vulnerability.

CVSS3: 7.3

EPSS: Низкий

CVE-2022-32215

больше 3 лет назад

The llhttp parser <v14.20.1, <v16.17.1 and <v18.9.1 in the http module in Node.js does not correctly handle multi-line Transfer-Encoding headers. This can lead to HTTP Request Smuggling (HRS).

CVSS3: 6.5

EPSS: Высокий

Уязвимостей на страницу

Уязвимость	CVSS	EPSS	Опубликовано 1
CVE-2022-32215 The llhttp parser <v14.20.1, <v16.17.1 and <v18.9.1 in the http module in Node.js does not correctly handle multi-line Transfer-Encoding headers. This can lead to HTTP Request Smuggling (HRS).	CVSS3: 6.5	88% Высокий	больше 3 лет назад
CVE-2022-32215 The llhttp parser <v14.20.1, <v16.17.1 and <v18.9.1 in the http module ...	CVSS3: 6.5	88% Высокий	больше 3 лет назад
CVE-2022-32214 The llhttp parser <v14.20.1, <v16.17.1 and <v18.9.1 in the http module in Node.js does not strictly use the CRLF sequence to delimit HTTP requests. This can lead to HTTP Request Smuggling (HRS).	CVSS3: 6.5	46% Средний	больше 3 лет назад
CVE-2022-32214 The llhttp parser <v14.20.1, <v16.17.1 and <v18.9.1 in the http module ...	CVSS3: 6.5	46% Средний	больше 3 лет назад
CVE-2022-32213 The llhttp parser <v14.20.1, <v16.17.1 and <v18.9.1 in the http module in Node.js does not correctly parse and validate Transfer-Encoding headers and can lead to HTTP Request Smuggling (HRS).	CVSS3: 6.5	89% Высокий	больше 3 лет назад
CVE-2022-32213 The llhttp parser <v14.20.1, <v16.17.1 and <v18.9.1 in the http module ...	CVSS3: 6.5	89% Высокий	больше 3 лет назад
CVE-2022-32212 A OS Command Injection vulnerability exists in Node.js versions <14.20.0, <16.20.0, <18.5.0 due to an insufficient IsAllowedHost check that can easily be bypassed because IsIPAddress does not properly check if an IP address is invalid before making DBS requests allowing rebinding attacks.	CVSS3: 8.1	0% Низкий	больше 3 лет назад
CVE-2022-32212 A OS Command Injection vulnerability exists in Node.js versions <14.20 ...	CVSS3: 8.1	0% Низкий	больше 3 лет назад
CVE-2022-32223 Node.js is vulnerable to Hijack Execution Flow: DLL Hijacking under certain conditions on Windows platforms.This vulnerability can be exploited if the victim has the following dependencies on a Windows machine:* OpenSSL has been installed and “C:\Program Files\Common Files\SSL\openssl.cnf” exists.Whenever the above conditions are present, `node.exe` will search for `providers.dll` in the current user directory.After that, `node.exe` will try to search for `providers.dll` by the DLL Search Order in Windows.It is possible for an attacker to place the malicious file `providers.dll` under a variety of paths and exploit this vulnerability.	CVSS3: 7.3	6% Низкий	больше 3 лет назад
CVE-2022-32215 The llhttp parser <v14.20.1, <v16.17.1 and <v18.9.1 in the http module in Node.js does not correctly handle multi-line Transfer-Encoding headers. This can lead to HTTP Request Smuggling (HRS).	CVSS3: 6.5	88% Высокий	больше 3 лет назад

Уязвимостей на страницу