nodejs

219 tracked vulnerabilities.

CVE-2025-23167 MEDIUM
Node.js 20 < 20.19.1 - HTTP Request Smuggling via Improper Header Termination
May 19, 2025
CVSS 6.5
EPSS 0.00
CVE-2025-23166 HIGH
Node.js < 20.19.1, 22.0-22.14.9, 23.0-23.10.9, 24.0 - Denial of Service via SignTraits::DeriveBits Exception
May 19, 2025
CVSS 7.5
EPSS 0.00
CVE-2025-23165 LOW
Node.js <v20,v22 - Memory Corruption
May 19, 2025
CVSS 3.7
EPSS 0.00
CVE-2025-47279 LOW
Undici < 5.29.0, 6.0.0-6.21.1, 7.0.0-7.4.9 - Memory Leak via Repeated Webhook Calls
May 15, 2025
CVSS 3.1
EPSS 0.00
CVE-2025-23085 MEDIUM
Node.js < 18.20.6, 20.x < 20.18.2, 22.x < 22.13.1, 23.x < 23.6.1 - Memory Leak via HTTP/2 Socket Closure
Feb 07, 2025
CVSS 5.3
EPSS 0.00
CVE-2025-23084 MEDIUM
Node.js 18.0-18.20.6 - Path Traversal in Windows Drive Name Handling
Jan 28, 2025
CVSS 5.5
EPSS 0.01
CVE-2025-23083 HIGH
Node.js 20.x-20.18.1, 22.x-22.13.0, 23.x-23.6.0 - Permission Model Bypass via Worker Thread Hook
Jan 22, 2025
CVSS 7.7
EPSS 0.00
CVE-2025-22150 MEDIUM
Undici <5.28.5,6.21.1,7.2.3 - Info Disclosure
Jan 21, 2025
CVSS 6.8
EPSS 0.01
CVE-2024-37372 LOW
Node.js Path Traversal via Permission Model Bypass
Jan 09, 2025
CVSS 3.6
EPSS 0.00
CVE-2024-27980 HIGH
Node.js < 18.20.2, 19.x, < 20.12.2, < 21.7.3 - Command Injection via child_process.spawn
Jan 09, 2025
CVSS 8.1
EPSS 0.00
CVE-2024-36138 HIGH
Node.js < 18.20.4, 20.0-20.15.1, 22.0-22.4.1 - Command Injection via child_process.spawn
Sep 07, 2024
CVSS 8.1
EPSS 0.00
CVE-2024-36137 LOW
Node.js < 20.15.1, < 22.4.1 - Permission Model Bypass via File Descriptor Manipulation
Sep 07, 2024
CVSS 3.3
EPSS 0.00
CVE-2024-22018 LOW
Node.js 20.x-21.x - Unauthorized File Stats Access via fs.lstat API
Jul 10, 2024
CVSS 2.9
EPSS 0.00
CVE-2024-22020 MEDIUM
Node.js < 18.20.4, 20.0-20.15.1, 22.0-22.4.1 - Remote Code Execution via Data URL Network Import Bypass
Jul 09, 2024
CVSS 6.5
EPSS 0.00
CVE-2024-38372 LOW
undici >=6.14.0 <6.19.2 - Information Exposure via response.arrayBuffer()
Jul 08, 2024
CVSS 2.0
EPSS 0.00
CVE-2024-27982 MEDIUM
Node < 18.20.1, 19.x, < 20.12.1, < 21.7.2 - HTTP Request Smuggling via Malformed Content-Length Header
May 07, 2024
CVSS 6.5
EPSS 0.00
CVE-2024-3566 CRITICAL
Windows - Command Injection
Apr 10, 2024
CVSS 9.8
EPSS 0.10
CVE-2024-27983 HIGH
Node.js < 18.20.1, 19.x, < 20.12.1, < 21.7.2 - Denial of Service via HTTP/2 Frame Handling Race Condition
Apr 09, 2024
CVSS 8.2
EPSS 0.76
CVE-2024-30260 LOW
undici < 5.28.4 - Improper Authorization via Uncleared Headers in undici.request()
Apr 04, 2024
CVSS 3.9
EPSS 0.00
CVE-2024-30261 LOW
Undici < 5.28.4 - Improper Access Control via Integrity Option Tampering
Apr 04, 2024
CVSS 2.6
EPSS 0.00
CVE-2024-22025 MEDIUM
Node.js - Denial of Service via Brotli Decoding in fetch()
Mar 19, 2024
CVSS 6.5
EPSS 0.01
CVE-2024-22017 HIGH
Node.js >=18.18.0 - Privilege Escalation
Mar 19, 2024
CVSS 7.3
EPSS 0.01
CVE-2024-22019 HIGH
Node.js 18.0.0-18.19.0 and 20.0.0-20.11.0 - Denial of Service via Chunked Encoding
Feb 20, 2024
CVSS 7.5
EPSS 0.00
CVE-2024-21896 CRITICAL
Node.js 20.0.0-20.11.0 - Path Traversal via Buffer.prototype.utf8Write Monkey Patch
Feb 20, 2024
CVSS 9.8
EPSS 0.02
CVE-2024-21892 HIGH
Node.js 18.0.0-18.19.1 - Privilege Escalation via Incorrect CAP_NET_BIND_SERVICE Exception
Feb 20, 2024
CVSS 7.8
EPSS 0.00
Products
node.js 163 undici 22 Node 18 node 14 nodejs 4
Quick Filters
Critical CVEs With Exploits In CISA KEV