Exposure of Node.js

Programming languages

96

exposure score

532,066

sites use

0

exploited

4

critical

CVEs

127 results

CVE-2024-27983HIGHAn attacker can make the Node.js HTTP/2 server completely unavailable by sending a small amount of HTTP/2 frames packets with a few HTTP/2 fEPSS 87.2%CVE-2021-22883—Node.js before 10.24.0, 12.21.0, 14.16.0, and 15.10.0 is vulnerable to a denial of service attack when too many connection attempts with an EPSS 77.4%CVE-2022-32214—The llhttp parser <v14.20.1, <v16.17.1 and <v18.9.1 in the http module in Node.js does not strictly use the CRLF sequence to delimit HTTP reEPSS 77.3%CVE-2022-32215—The llhttp parser <v14.20.1, <v16.17.1 and <v18.9.1 in the http module in Node.js does not correctly handle multi-line Transfer-Encoding heaEPSS 68.8%CVE-2019-15605—HTTP request smuggling in Node.js 10, 12, and 13 causes malicious payload delivery when transfer-encoding is malformedEPSS 57.1%CVE-2020-8277—A Node.js application that allows an attacker to trigger a DNS request for a host of their choice could trigger a Denial of Service in versiEPSS 54.2%CVE-2018-12122—Node.js: All versions prior to Node.js 6.15.0, 8.14.0, 10.14.0 and 11.3.0: Slowloris HTTP Denial of Service: An attacker can cause a Denial EPSS 41.3%CVE-2021-22930—Node.js before 16.6.0, 14.17.4, and 12.22.4 is vulnerable to a use after free attack where an attacker might be able to exploit the memory cEPSS 37.3%CVE-2022-32213—The llhttp parser <v14.20.1, <v16.17.1 and <v18.9.1 in the http module in Node.js does not correctly parse and validate Transfer-Encoding heEPSS 35.1%CVE-2021-22884—Node.js before 10.24.0, 12.21.0, 14.16.0, and 15.10.0 is vulnerable to DNS rebinding attacks as the whitelist includes “localhost6”. When “lEPSS 32.4%CVE-2021-22918—Node.js before 16.4.1, 14.17.2, 12.22.2 is vulnerable to an out-of-bounds read when uv__idna_toascii() is used to convert strings to ASCII. EPSS 23.1%CVE-2021-22931—Node.js before 16.6.0, 14.17.4, and 12.22.4 is vulnerable to Remote Code Execution, XSS, Application crashes due to missing input validationEPSS 22.0%CVE-2022-21824—Due to the formatting logic of the "console.table()" function it was not safe to allow user controlled input to be passed to the "propertiesEPSS 21.5%CVE-2019-15604—Improper Certificate Validation in Node.js 10, 12, and 13 causes the process to abort when sending a crafted X.509 certificateEPSS 20.5%CVE-2019-15606—Including trailing white space in HTTP header values in Nodejs 10, 12, and 13 causes bypass of authorization based on header value comparisoEPSS 20.0%CVE-2020-8287—Node.js versions before 10.23.1, 12.20.1, 14.15.4, 15.5.1 allow two copies of a header field in an HTTP request (for example, two Transfer-EEPSS 16.3%CVE-2019-5737—In Node.js including 6.x before 6.17.0, 8.x before 8.15.1, 10.x before 10.15.2, and 11.x before 11.10.1, an attacker can cause a Denial of SEPSS 16.2%CVE-2021-22939—If the Node.js https API was used incorrectly and "undefined" was in passed for the "rejectUnauthorized" parameter, no error was returned anEPSS 14.7%CVE-2022-43548HIGHA OS Command Injection vulnerability exists in Node.js versions <14.21.1, <16.18.1, <18.12.1, <19.0.1 due to an insufficient IsAllowedHost cEPSS 14.0%CVE-2021-22940—Node.js before 16.6.1, 14.17.5, and 12.22.5 is vulnerable to a use after free attack where an attacker might be able to exploit the memory cEPSS 14.0%

← previouspage 1 / 7next →

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →