Node.js CVE 脆弱性と CVE 一覧(202)

製品(CPE): — CVE 件数: 202

Node.js 脆弱性概要

Node.js 関連製品全体の CVE とセキュリティ脆弱性情報を集約し、CVSS、EPSS、公開日、脆弱性情報データを掲載しています。

過去の問題は主に パス処理の欠陥 and バッファオーバーフロー などに関し、一部は アプリケーションクラッシュ を招き、vendor surface software deployment and vendor surface production workloads 関連の場面に影響します。

掲載データは公開脆弱性情報とセキュリティ公告に基づき、過去の暴露面と修補優先度の評価に利用できます。

脆弱性分布の推移(直近24か月)

表示中 161180 / 202 CVE 件数
CVE 概要 ソース CVSS 最大値 EPSS(%) 公開 更新
CVE-2016-9840 inftrees.c in zlib 1.2.8 might allow context-dependent attackers to have unspecified impact by leveraging improper pointer arithmetic. [email protected] 8.8 4.79% 2017-05-23 2026-06-16
CVE-2016-7055 There is a carry propagating bug in the Broadwell-specific Montgomery multiplication procedure in OpenSSL 1.0.2 and 1.1.0 before 1.1.0c that handles input lengths divisible by, but longer than 256 bits. Analysis suggests that attacks against RSA, DSA and DH private keys are impossible. This is because the subroutine in question is not used in operations with the private key itself and an input of the attacker's direct choice. Otherwise the bug can manifest itself as transient authentication and [email protected] 5.9 14.22% 2017-05-04 2026-06-16
CVE-2017-3732 There is a carry propagating bug in the x86_64 Montgomery squaring procedure in OpenSSL 1.0.2 before 1.0.2k and 1.1.0 before 1.1.0d. No EC algorithms are affected. Analysis suggests that attacks against RSA and DSA as a result of this defect would be very difficult to perform and are not believed likely. Attacks against DH are considered just feasible (although very difficult) because most of the work necessary to deduce information about a private key may be performed offline. The amount of res [email protected] 5.9 15.93% 2017-05-04 2026-06-16
CVE-2017-3731 If an SSL/TLS server or client is running on a 32-bit host, and a specific cipher is being used, then a truncated packet can cause that server or client to perform an out-of-bounds read, usually resulting in a crash. For OpenSSL 1.1.0, the crash can be triggered when using CHACHA20/POLY1305; users should upgrade to 1.1.0d. For Openssl 1.0.2, the crash can be triggered when using RC4-MD5; users who have not disabled that algorithm should update to 1.0.2k. [email protected] 7.5 57.59% 2017-05-04 2026-06-16
CVE-2015-8860 The tar package before 2.0.0 for Node.js allows remote attackers to write to arbitrary files via a symlink attack in an archive. [email protected] 7.5 4.91% 2017-01-23 2026-06-16
CVE-2015-8855 The semver package before 4.3.2 for Node.js allows attackers to cause a denial of service (CPU consumption) via a long version string, aka a "regular expression denial of service (ReDoS)." [email protected] 7.5 6.49% 2017-01-23 2026-06-16
CVE-2014-9772 The validator package before 2.0.0 for Node.js allows remote attackers to bypass the cross-site scripting (XSS) filter via hex-encoded characters. [email protected] 6.1 2.62% 2017-01-23 2026-06-16
CVE-2013-7454 The validator module before 1.1.0 for Node.js allows remote attackers to bypass the cross-site scripting (XSS) filter via nested forbidden strings. [email protected] 6.1 1.86% 2017-01-23 2026-06-16
CVE-2013-7453 The validator module before 1.1.0 for Node.js allows remote attackers to bypass the cross-site scripting (XSS) filter via vectors related to UI redressing. [email protected] 6.1 1.86% 2017-01-23 2026-06-16
CVE-2013-7452 The validator module before 1.1.0 for Node.js allows remote attackers to bypass the cross-site scripting (XSS) filter via a crafted javascript URI. [email protected] 6.1 2.03% 2017-01-23 2026-06-16
CVE-2013-7451 The validator module before 1.1.0 for Node.js allows remote attackers to bypass the XSS filter via a nested tag. [email protected] 6.1 1.86% 2017-01-23 2026-06-16
CVE-2016-7099 The tls.checkServerIdentity function in Node.js 0.10.x before 0.10.47, 0.12.x before 0.12.16, 4.x before 4.6.0, and 6.x before 6.7.0 does not properly handle wildcards in name fields of X.509 certificates, which allows man-in-the-middle attackers to spoof servers via a crafted certificate. [email protected] 5.9 2.84% 2016-10-10 2026-06-16
CVE-2016-5325 CRLF injection vulnerability in the ServerResponse#writeHead function in Node.js 0.10.x before 0.10.47, 0.12.x before 0.12.16, 4.x before 4.6.0, and 6.x before 6.7.0 allows remote attackers to inject arbitrary HTTP headers and conduct HTTP response splitting attacks via the reason argument. [email protected] 6.1 4.11% 2016-10-10 2026-06-16
CVE-2016-5180 Heap-based buffer overflow in the ares_create_query function in c-ares 1.x before 1.12.0 allows remote attackers to cause a denial of service (out-of-bounds write) or possibly execute arbitrary code via a hostname with an escaped trailing dot. [email protected] 9.8 8.58% 2016-10-03 2026-06-16
CVE-2016-7052 crypto/x509/x509_vfy.c in OpenSSL 1.0.2i allows remote attackers to cause a denial of service (NULL pointer dereference and application crash) by triggering a CRL operation. [email protected] 7.5 30.22% 2016-09-26 2026-06-16
CVE-2016-6306 The certificate parser in OpenSSL before 1.0.1u and 1.0.2 before 1.0.2i might allow remote attackers to cause a denial of service (out-of-bounds read) via crafted certificate operations, related to s3_clnt.c and s3_srvr.c. [email protected] 5.9 41.68% 2016-09-26 2026-06-16
CVE-2016-6304 Multiple memory leaks in t1_lib.c in OpenSSL before 1.0.1u, 1.0.2 before 1.0.2i, and 1.1.0 before 1.1.0a allow remote attackers to cause a denial of service (memory consumption) via large OCSP Status Request extensions. [email protected] 7.5 63.03% 2016-09-26 2026-06-16
CVE-2016-5172 The parser in Google V8, as used in Google Chrome before 53.0.2785.113, mishandles scopes, which allows remote attackers to obtain sensitive information from arbitrary memory locations via crafted JavaScript code. [email protected] 6.5 1.88% 2016-09-25 2026-06-16
CVE-2016-6303 Integer overflow in the MDC2_Update function in crypto/mdc2/mdc2dgst.c in OpenSSL before 1.1.0 allows remote attackers to cause a denial of service (out-of-bounds write and application crash) or possibly have unspecified other impact via unknown vectors. [email protected] 9.8 31.99% 2016-09-16 2026-06-16
CVE-2016-2183 The DES and Triple DES ciphers, as used in the TLS, SSH, and IPSec protocols and other protocols and products, have a birthday bound of approximately four billion blocks, which makes it easier for remote attackers to obtain cleartext data via a birthday attack against a long-duration encrypted session, as demonstrated by an HTTPS session using Triple DES in CBC mode, aka a "Sweet32" attack. [email protected] 7.5 95.71% 2016-08-31 2026-06-16
cvelogic Threat Intelligence