Node.js — программная платформа, основанная на движке V8 (компилирующем JavaScript в машинный код)
Релизный цикл, информация об уязвимостях
График релизов
Количество 1 025
CVE-2023-30585
A vulnerability has been identified in the Node.js (.msi version) inst ...
CVE-2023-30585
A vulnerability has been identified in the Node.js (.msi version) installation process, specifically affecting Windows users who install Node.js using the .msi installer. This vulnerability emerges during the repair operation, where the "msiexec.exe" process, running under the NT AUTHORITY\SYSTEM context, attempts to read the %USERPROFILE% environment variable from the current user's registry. The issue arises when the path referenced by the %USERPROFILE% environment variable does not exist. In such cases, the "msiexec.exe" process attempts to create the specified path in an unsafe manner, potentially leading to the creation of arbitrary folders in arbitrary locations. The severity of this vulnerability is heightened by the fact that the %USERPROFILE% environment variable in the Windows registry can be modified by standard (or "non-privileged") users. Consequently, unprivileged actors, including malicious entities or trojans, can manipulate the environment variable key to deceive th...
GHSA-86v4-9wq7-fx97
The use of __proto__ in process.mainModule.__proto__.require() can bypass the policy mechanism and require modules outside of the policy.json definition. This vulnerability affects all users using the experimental policy mechanism in all active release lines: v16, v18 and, v20. Please note that at the time this CVE was issued, the policy is an experimental feature of Node.js
CVE-2023-30581
The use of __proto__ in process.mainModule.__proto__.require() can bypass the policy mechanism and require modules outside of the policy.json definition. This vulnerability affects all users using the experimental policy mechanism in all active release lines: v16, v18 and, v20. Please note that at the time this CVE was issued, the policy is an experimental feature of Node.js
CVE-2023-30581
The use of __proto__ in process.mainModule.__proto__.require() can byp ...
CVE-2023-30581
The use of __proto__ in process.mainModule.__proto__.require() can bypass the policy mechanism and require modules outside of the policy.json definition. This vulnerability affects all users using the experimental policy mechanism in all active release lines: v16, v18 and, v20. Please note that at the time this CVE was issued, the policy is an experimental feature of Node.js
SUSE-SU-2023:4492-1
Security update for nghttp2
SUSE-SU-2023:4295-1
Security update for nodejs10
BDU:2024-02798
Уязвимость HTTP-сервера программной платформы Node.js, позволяющая нарушителю обойти ограничения безопасности и вызвать отказ в обслуживании
SUSE-SU-2023:4200-1
Security update for nghttp2
Уязвимостей на страницу
Уязвимость | CVSS | EPSS | Опубликовано 1 | |
|---|---|---|---|---|
| CVE-2023-30585 A vulnerability has been identified in the Node.js (.msi version) inst ... | CVSS3: 7.5 | 2% Низкий | почти 2 года назад |
 | CVE-2023-30585 A vulnerability has been identified in the Node.js (.msi version) installation process, specifically affecting Windows users who install Node.js using the .msi installer. This vulnerability emerges during the repair operation, where the "msiexec.exe" process, running under the NT AUTHORITY\SYSTEM context, attempts to read the %USERPROFILE% environment variable from the current user's registry. The issue arises when the path referenced by the %USERPROFILE% environment variable does not exist. In such cases, the "msiexec.exe" process attempts to create the specified path in an unsafe manner, potentially leading to the creation of arbitrary folders in arbitrary locations. The severity of this vulnerability is heightened by the fact that the %USERPROFILE% environment variable in the Windows registry can be modified by standard (or "non-privileged") users. Consequently, unprivileged actors, including malicious entities or trojans, can manipulate the environment variable key to deceive th... | CVSS3: 7.5 | 2% Низкий | почти 2 года назад |
| GHSA-86v4-9wq7-fx97 The use of __proto__ in process.mainModule.__proto__.require() can bypass the policy mechanism and require modules outside of the policy.json definition. This vulnerability affects all users using the experimental policy mechanism in all active release lines: v16, v18 and, v20. Please note that at the time this CVE was issued, the policy is an experimental feature of Node.js | CVSS3: 7.5 | 0% Низкий | почти 2 года назад |
 | CVE-2023-30581 The use of __proto__ in process.mainModule.__proto__.require() can bypass the policy mechanism and require modules outside of the policy.json definition. This vulnerability affects all users using the experimental policy mechanism in all active release lines: v16, v18 and, v20. Please note that at the time this CVE was issued, the policy is an experimental feature of Node.js | CVSS3: 7.5 | 0% Низкий | почти 2 года назад |
| CVE-2023-30581 The use of __proto__ in process.mainModule.__proto__.require() can byp ... | CVSS3: 7.5 | 0% Низкий | почти 2 года назад |
| CVE-2023-30581 The use of __proto__ in process.mainModule.__proto__.require() can bypass the policy mechanism and require modules outside of the policy.json definition. This vulnerability affects all users using the experimental policy mechanism in all active release lines: v16, v18 and, v20. Please note that at the time this CVE was issued, the policy is an experimental feature of Node.js | CVSS3: 7.5 | 0% Низкий | почти 2 года назад |
 | SUSE-SU-2023:4492-1 Security update for nghttp2 | 94% Критический | почти 2 года назад | |
| SUSE-SU-2023:4295-1 Security update for nodejs10 | 94% Критический | около 2 лет назад | |
 | BDU:2024-02798 Уязвимость HTTP-сервера программной платформы Node.js, позволяющая нарушителю обойти ограничения безопасности и вызвать отказ в обслуживании | CVSS3: 7.5 | 0% Низкий | около 2 лет назад |
| SUSE-SU-2023:4200-1 Security update for nghttp2 | 94% Критический | около 2 лет назад |
Уязвимостей на страницу