Node.js 関連製品全体の CVE とセキュリティ脆弱性情報を集約し、CVSS、EPSS、公開日、脆弱性情報データを掲載しています。
過去の問題は主に パス処理の欠陥 and バッファオーバーフロー などに関し、一部は アプリケーションクラッシュ を招き、vendor surface software deployment and vendor surface production workloads 関連の場面に影響します。
掲載データは公開脆弱性情報とセキュリティ公告に基づき、過去の暴露面と修補優先度の評価に利用できます。
| CVE | 概要 | ソース | CVSS 最大値 | EPSS(%) | 公開 | 更新 |
|---|---|---|---|---|---|---|
| CVE-2016-9840 | inftrees.c in zlib 1.2.8 might allow context-dependent attackers to have unspecified impact by leveraging improper pointer arithmetic. | [email protected] | 8.8 | 4.79% | 2017-05-23 | 2026-06-16 |
| CVE-2016-7055 | There is a carry propagating bug in the Broadwell-specific Montgomery multiplication procedure in OpenSSL 1.0.2 and 1.1.0 before 1.1.0c that handles input lengths divisible by, but longer than 256 bits. Analysis suggests that attacks against RSA, DSA and DH private keys are impossible. This is because the subroutine in question is not used in operations with the private key itself and an input of the attacker's direct choice. Otherwise the bug can manifest itself as transient authentication and | [email protected] | 5.9 | 14.22% | 2017-05-04 | 2026-06-16 |
| CVE-2017-3732 | There is a carry propagating bug in the x86_64 Montgomery squaring procedure in OpenSSL 1.0.2 before 1.0.2k and 1.1.0 before 1.1.0d. No EC algorithms are affected. Analysis suggests that attacks against RSA and DSA as a result of this defect would be very difficult to perform and are not believed likely. Attacks against DH are considered just feasible (although very difficult) because most of the work necessary to deduce information about a private key may be performed offline. The amount of res | [email protected] | 5.9 | 15.93% | 2017-05-04 | 2026-06-16 |
| CVE-2017-3731 | If an SSL/TLS server or client is running on a 32-bit host, and a specific cipher is being used, then a truncated packet can cause that server or client to perform an out-of-bounds read, usually resulting in a crash. For OpenSSL 1.1.0, the crash can be triggered when using CHACHA20/POLY1305; users should upgrade to 1.1.0d. For Openssl 1.0.2, the crash can be triggered when using RC4-MD5; users who have not disabled that algorithm should update to 1.0.2k. | [email protected] | 7.5 | 57.59% | 2017-05-04 | 2026-06-16 |
| CVE-2015-8860 | The tar package before 2.0.0 for Node.js allows remote attackers to write to arbitrary files via a symlink attack in an archive. | [email protected] | 7.5 | 4.91% | 2017-01-23 | 2026-06-16 |
| CVE-2015-8855 | The semver package before 4.3.2 for Node.js allows attackers to cause a denial of service (CPU consumption) via a long version string, aka a "regular expression denial of service (ReDoS)." | [email protected] | 7.5 | 6.49% | 2017-01-23 | 2026-06-16 |
| CVE-2014-9772 | The validator package before 2.0.0 for Node.js allows remote attackers to bypass the cross-site scripting (XSS) filter via hex-encoded characters. | [email protected] | 6.1 | 2.62% | 2017-01-23 | 2026-06-16 |
| CVE-2013-7454 | The validator module before 1.1.0 for Node.js allows remote attackers to bypass the cross-site scripting (XSS) filter via nested forbidden strings. | [email protected] | 6.1 | 1.86% | 2017-01-23 | 2026-06-16 |
| CVE-2013-7453 | The validator module before 1.1.0 for Node.js allows remote attackers to bypass the cross-site scripting (XSS) filter via vectors related to UI redressing. | [email protected] | 6.1 | 1.86% | 2017-01-23 | 2026-06-16 |
| CVE-2013-7452 | The validator module before 1.1.0 for Node.js allows remote attackers to bypass the cross-site scripting (XSS) filter via a crafted javascript URI. | [email protected] | 6.1 | 2.03% | 2017-01-23 | 2026-06-16 |
| CVE-2013-7451 | The validator module before 1.1.0 for Node.js allows remote attackers to bypass the XSS filter via a nested tag. | [email protected] | 6.1 | 1.86% | 2017-01-23 | 2026-06-16 |
| CVE-2016-7099 | The tls.checkServerIdentity function in Node.js 0.10.x before 0.10.47, 0.12.x before 0.12.16, 4.x before 4.6.0, and 6.x before 6.7.0 does not properly handle wildcards in name fields of X.509 certificates, which allows man-in-the-middle attackers to spoof servers via a crafted certificate. | [email protected] | 5.9 | 2.84% | 2016-10-10 | 2026-06-16 |
| CVE-2016-5325 | CRLF injection vulnerability in the ServerResponse#writeHead function in Node.js 0.10.x before 0.10.47, 0.12.x before 0.12.16, 4.x before 4.6.0, and 6.x before 6.7.0 allows remote attackers to inject arbitrary HTTP headers and conduct HTTP response splitting attacks via the reason argument. | [email protected] | 6.1 | 4.11% | 2016-10-10 | 2026-06-16 |
| CVE-2016-5180 | Heap-based buffer overflow in the ares_create_query function in c-ares 1.x before 1.12.0 allows remote attackers to cause a denial of service (out-of-bounds write) or possibly execute arbitrary code via a hostname with an escaped trailing dot. | [email protected] | 9.8 | 8.58% | 2016-10-03 | 2026-06-16 |
| CVE-2016-7052 | crypto/x509/x509_vfy.c in OpenSSL 1.0.2i allows remote attackers to cause a denial of service (NULL pointer dereference and application crash) by triggering a CRL operation. | [email protected] | 7.5 | 30.22% | 2016-09-26 | 2026-06-16 |
| CVE-2016-6306 | The certificate parser in OpenSSL before 1.0.1u and 1.0.2 before 1.0.2i might allow remote attackers to cause a denial of service (out-of-bounds read) via crafted certificate operations, related to s3_clnt.c and s3_srvr.c. | [email protected] | 5.9 | 41.68% | 2016-09-26 | 2026-06-16 |
| CVE-2016-6304 | Multiple memory leaks in t1_lib.c in OpenSSL before 1.0.1u, 1.0.2 before 1.0.2i, and 1.1.0 before 1.1.0a allow remote attackers to cause a denial of service (memory consumption) via large OCSP Status Request extensions. | [email protected] | 7.5 | 63.03% | 2016-09-26 | 2026-06-16 |
| CVE-2016-5172 | The parser in Google V8, as used in Google Chrome before 53.0.2785.113, mishandles scopes, which allows remote attackers to obtain sensitive information from arbitrary memory locations via crafted JavaScript code. | [email protected] | 6.5 | 1.88% | 2016-09-25 | 2026-06-16 |
| CVE-2016-6303 | Integer overflow in the MDC2_Update function in crypto/mdc2/mdc2dgst.c in OpenSSL before 1.1.0 allows remote attackers to cause a denial of service (out-of-bounds write and application crash) or possibly have unspecified other impact via unknown vectors. | [email protected] | 9.8 | 31.99% | 2016-09-16 | 2026-06-16 |
| CVE-2016-2183 | The DES and Triple DES ciphers, as used in the TLS, SSH, and IPSec protocols and other protocols and products, have a birthday bound of approximately four billion blocks, which makes it easier for remote attackers to obtain cleartext data via a birthday attack against a long-duration encrypted session, as demonstrated by an HTTPS session using Triple DES in CBC mode, aka a "Sweet32" attack. | [email protected] | 7.5 | 95.71% | 2016-08-31 | 2026-06-16 |