nodejs
239 tracked vulnerabilities.
CVE-2025-23084
MEDIUM
Node.js 18.0-18.20.6 - Path Traversal in Windows Drive Name Handling
Jan 28, 2025
CVSS 5.5
EPSS 0.01
CVE-2025-23083
HIGH
Node.js 20.x-20.18.1, 22.x-22.13.0, 23.x-23.6.0 - Permission Model Bypass via Worker Thread Hook
Jan 22, 2025
CVSS 7.7
EPSS 0.00
CVE-2025-22150
MEDIUM
Undici <5.28.5,6.21.1,7.2.3 - Info Disclosure
Jan 21, 2025
CVSS 6.8
EPSS 0.01
CVE-2024-37372
LOW
Node.js Path Traversal via Permission Model Bypass
Jan 09, 2025
CVSS 3.6
EPSS 0.00
CVE-2024-27980
HIGH
Node.js < 18.20.2, 19.x, < 20.12.2, < 21.7.3 - Command Injection via child_process.spawn
Jan 09, 2025
CVSS 8.1
EPSS 0.01
CVE-2024-36138
HIGH
Node.js < 18.20.4, 20.0-20.15.1, 22.0-22.4.1 - Command Injection via child_process.spawn
Sep 07, 2024
CVSS 8.1
EPSS 0.01
CVE-2024-36137
LOW
Node.js < 20.15.1, < 22.4.1 - Permission Model Bypass via File Descriptor Manipulation
Sep 07, 2024
CVSS 3.3
EPSS 0.00
CVE-2024-22018
LOW
Node.js 20.x-21.x - Unauthorized File Stats Access via fs.lstat API
Jul 10, 2024
CVSS 2.9
EPSS 0.00
CVE-2024-22020
MEDIUM
Node.js < 18.20.4, 20.0-20.15.1, 22.0-22.4.1 - Remote Code Execution via Data URL Network Import Bypass
Jul 09, 2024
CVSS 6.5
EPSS 0.01
CVE-2024-38372
LOW
undici >=6.14.0 <6.19.2 - Information Exposure via response.arrayBuffer()
Jul 08, 2024
CVSS 2.0
EPSS 0.00
CVE-2024-27982
MEDIUM
Node < 18.20.1, 19.x, < 20.12.1, < 21.7.2 - HTTP Request Smuggling via Malformed Content-Length Header
May 07, 2024
CVSS 6.5
EPSS 0.01
CVE-2024-3566
CRITICAL
Windows - Command Injection
Apr 10, 2024
CVSS 9.8
EPSS 0.07
CVE-2024-27983
HIGH
Node.js < 18.20.1, 19.x, < 20.12.1, < 21.7.2 - Denial of Service via HTTP/2 Frame Handling Race Condition
Apr 09, 2024
CVSS 8.2
EPSS 0.87
CVE-2024-30260
LOW
undici < 5.28.4 - Improper Authorization via Uncleared Headers in undici.request()
Apr 04, 2024
CVSS 3.9
EPSS 0.01
CVE-2024-30261
LOW
Undici < 5.28.4 - Improper Access Control via Integrity Option Tampering
Apr 04, 2024
CVSS 2.6
EPSS 0.01
CVE-2024-22025
MEDIUM
Node.js - Denial of Service via Brotli Decoding in fetch()
Mar 19, 2024
CVSS 6.5
EPSS 0.01
CVE-2024-22017
HIGH
Node.js >=18.18.0 - Privilege Escalation
Mar 19, 2024
CVSS 7.3
EPSS 0.01
CVE-2024-22019
HIGH
Node.js 18.0.0-18.19.0 and 20.0.0-20.11.0 - Denial of Service via Chunked Encoding
Feb 20, 2024
CVSS 7.5
EPSS 0.03
CVE-2024-21896
CRITICAL
Node.js 20.0.0-20.11.0 - Path Traversal via Buffer.prototype.utf8Write Monkey Patch
Feb 20, 2024
CVSS 9.8
EPSS 0.01
CVE-2024-21892
HIGH
Node.js 18.0.0-18.19.1 - Privilege Escalation via Incorrect CAP_NET_BIND_SERVICE Exception
Feb 20, 2024
CVSS 7.8
EPSS 0.01
CVE-2024-21891
HIGH
Node.js 20.0.0-20.11.1 - Path Traversal via Permission Model Bypass
Feb 20, 2024
CVSS 8.8
EPSS 0.01
CVE-2024-21890
MEDIUM
Node.js 20.0.0-20.11.0 - Permission Model Bypass via Wildcard Path Misinterpretation
Feb 20, 2024
CVSS 6.5
EPSS 0.01
CVE-2024-24758
LOW
Undici < 5.28.3 - Exposure of Sensitive Information via Proxy-Authentication Header
Feb 16, 2024
CVSS 3.9
EPSS 0.01
CVE-2024-24750
MEDIUM
Undici 6.0.0-6.6.0 - Use-After-Free via Unconsumed Fetch Body
Feb 16, 2024
CVSS 6.5
EPSS 0.01
CVE-2023-46809
HIGH
Node.js < 18.19.1, 20.11.1, 21.6.2 - Covert Timing Channel via RSA Decryption with PKCS #1 v1.5 Padding
Sep 07, 2024
CVSS 7.4
EPSS 0.01
Products
Quick Filters