nodejs node.js CVE 漏洞(173)

CVE 數: 173 CPE versions: View versions table

摘要

本頁列出影響 nodejs node.js 的已公開 CVE 漏洞(透過 NVD CPE 關聯)。每列包含嚴重程度評分、摘要與發布日期,便於識別與分析安全議題。

顯示 121140173 CVE 數
CVE 摘要 來源 最高 CVSS EPSS % 公開時間 更新時間
CVE-2018-1000168 nghttp2 version >= 1.10.0 and nghttp2 <= v1.31.0 contains an Improper Input Validation CWE-20 vulnerability in ALTSVC frame handling that can result in segmentation fault leading to denial of service. This attack appears to be exploitable via network client. This vulnerability appears to have been fixed in >= 1.31.1. [email protected] 7.5 10.65% 2018-05-08 2026-06-16
CVE-2017-15897 Node.js had a bug in versions 8.X and 9.X which caused buffers to not be initialized when the encoding for the fill value did not match the encoding specified. For example, 'Buffer.alloc(0x100, "This is not correctly encoded", "hex");' The buffer implementation was updated such that the buffer will be initialized to all zeros in these cases. [email protected] 3.1 2.30% 2017-12-11 2026-06-16
CVE-2017-15896 Node.js was affected by OpenSSL vulnerability CVE-2017-3737 in regards to the use of SSL_read() due to TLS handshake failure. The result was that an active network attacker could send application data to Node.js using the TLS or HTTP2 modules in a way that bypassed TLS authentication and encryption. [email protected] 9.1 2.38% 2017-12-11 2026-06-16
CVE-2017-3738 There is an overflow bug in the AVX2 Montgomery multiplication procedure used in exponentiation with 1024-bit moduli. No EC algorithms are affected. Analysis suggests that attacks against RSA and DSA as a result of this defect would be very difficult to perform and are not believed likely. Attacks against DH1024 are considered just feasible, because most of the work necessary to deduce information about a private key may be performed offline. The amount of resources required for such an attack w [email protected] 5.9 13.41% 2017-12-07 2026-06-16
CVE-2017-14919 Node.js before 4.8.5, 6.x before 6.11.5, and 8.x before 8.8.0 allows remote attackers to cause a denial of service (uncaught exception and crash) by leveraging a change in the zlib module 1.2.9 making 8 an invalid value for the windowBits parameter. [email protected] 7.5 8.24% 2017-10-30 2026-07-14
CVE-2014-3744 Directory traversal vulnerability in the st module before 0.2.5 for Node.js allows remote attackers to read arbitrary files via a %2e%2e (encoded dot dot) in an unspecified path. [email protected] 7.5 34.01% 2017-10-23 2026-06-16
CVE-2015-7384 Node.js 4.0.0, 4.1.0, and 4.1.1 allows remote attackers to cause a denial of service. [email protected] 7.5 8.04% 2017-10-10 2026-06-16
CVE-2017-14849 Node.js 8.5.0 before 8.6.0 allows remote attackers to access unintended files, because a change to ".." handling was incompatible with the pathname validation used by unspecified community modules. [email protected] 7.5 54.39% 2017-09-27 2026-06-16
CVE-2015-2927 node 0.3.2 and URONode before 1.0.5r3 allows remote attackers to cause a denial of service (bandwidth consumption). [email protected] 6.5 4.98% 2017-09-20 2026-06-16
CVE-2017-11499 Node.js v4.0 through v4.8.3, all versions of v5.x, v6.0 through v6.11.0, v7.0 through v7.10.0, and v8.0 through v8.1.3 was susceptible to hash flooding remote DoS attacks as the HashTable seed was constant across a given released version of Node.js. This was a result of building with V8 snapshots enabled by default which caused the initially randomized seed to be overwritten on startup. [email protected] 7.5 5.48% 2017-07-25 2026-06-16
CVE-2017-1000381 The c-ares function `ares_parse_naptr_reply()`, which is used for parsing NAPTR responses, could be triggered to read memory outside of the given input buffer if the passed in DNS response packet was crafted in a particular way. [email protected] 7.5 3.31% 2017-07-07 2026-06-16
CVE-2016-9843 The crc32_big function in crc32.c in zlib 1.2.8 might allow context-dependent attackers to have unspecified impact via vectors involving big-endian CRC calculation. [email protected] 9.8 6.00% 2017-05-23 2026-06-16
CVE-2016-9842 The inflateMark function in inflate.c in zlib 1.2.8 might allow context-dependent attackers to have unspecified impact via vectors involving left shifts of negative integers. [email protected] 8.8 5.16% 2017-05-23 2026-07-14
CVE-2016-9841 inffast.c in zlib 1.2.8 might allow context-dependent attackers to have unspecified impact by leveraging improper pointer arithmetic. [email protected] 9.8 7.49% 2017-05-23 2026-07-14
CVE-2016-9840 inftrees.c in zlib 1.2.8 might allow context-dependent attackers to have unspecified impact by leveraging improper pointer arithmetic. [email protected] 8.8 4.79% 2017-05-23 2026-07-14
CVE-2016-7055 There is a carry propagating bug in the Broadwell-specific Montgomery multiplication procedure in OpenSSL 1.0.2 and 1.1.0 before 1.1.0c that handles input lengths divisible by, but longer than 256 bits. Analysis suggests that attacks against RSA, DSA and DH private keys are impossible. This is because the subroutine in question is not used in operations with the private key itself and an input of the attacker's direct choice. Otherwise the bug can manifest itself as transient authentication and [email protected] 5.9 14.22% 2017-05-04 2026-06-16
CVE-2017-3732 There is a carry propagating bug in the x86_64 Montgomery squaring procedure in OpenSSL 1.0.2 before 1.0.2k and 1.1.0 before 1.1.0d. No EC algorithms are affected. Analysis suggests that attacks against RSA and DSA as a result of this defect would be very difficult to perform and are not believed likely. Attacks against DH are considered just feasible (although very difficult) because most of the work necessary to deduce information about a private key may be performed offline. The amount of res [email protected] 5.9 15.93% 2017-05-04 2026-06-16
CVE-2017-3731 If an SSL/TLS server or client is running on a 32-bit host, and a specific cipher is being used, then a truncated packet can cause that server or client to perform an out-of-bounds read, usually resulting in a crash. For OpenSSL 1.1.0, the crash can be triggered when using CHACHA20/POLY1305; users should upgrade to 1.1.0d. For Openssl 1.0.2, the crash can be triggered when using RC4-MD5; users who have not disabled that algorithm should update to 1.0.2k. [email protected] 7.5 57.59% 2017-05-04 2026-06-16
CVE-2015-8860 The tar package before 2.0.0 for Node.js allows remote attackers to write to arbitrary files via a symlink attack in an archive. [email protected] 7.5 4.91% 2017-01-23 2026-06-16
CVE-2015-8855 The semver package before 4.3.2 for Node.js allows attackers to cause a denial of service (CPU consumption) via a long version string, aka a "regular expression denial of service (ReDoS)." [email protected] 7.5 6.49% 2017-01-23 2026-06-16
cvelogic Threat Intelligence