Node.js 漏洞與 CVE 列表(202)

產品(CPE): — CVE 數: 202

Node.js 漏洞概覽

彙總 Node.js 相關全部產品的 CVE 與安全漏洞情報,包括 CVSS、EPSS、公開時間與漏洞情報資料。

歷史漏洞主要涉及 路徑處理缺陷與緩衝區溢位 等問題,部分漏洞可能導致 應用程式崩潰,並影響 軟體部署與生產負載 相關場景。

相關漏洞資料主要來源於公開漏洞披露與安全公告,可用於評估歷史漏洞暴露面與修補優先順序。

漏洞分布趨勢(近 24 個月)

顯示 161180202 CVE 數
CVE 摘要 來源 最高 CVSS EPSS % 公開時間 更新時間
CVE-2016-9840 inftrees.c in zlib 1.2.8 might allow context-dependent attackers to have unspecified impact by leveraging improper pointer arithmetic. [email protected] 8.8 4.79% 2017-05-23 2026-07-14
CVE-2016-7055 There is a carry propagating bug in the Broadwell-specific Montgomery multiplication procedure in OpenSSL 1.0.2 and 1.1.0 before 1.1.0c that handles input lengths divisible by, but longer than 256 bits. Analysis suggests that attacks against RSA, DSA and DH private keys are impossible. This is because the subroutine in question is not used in operations with the private key itself and an input of the attacker's direct choice. Otherwise the bug can manifest itself as transient authentication and [email protected] 5.9 14.22% 2017-05-04 2026-06-16
CVE-2017-3732 There is a carry propagating bug in the x86_64 Montgomery squaring procedure in OpenSSL 1.0.2 before 1.0.2k and 1.1.0 before 1.1.0d. No EC algorithms are affected. Analysis suggests that attacks against RSA and DSA as a result of this defect would be very difficult to perform and are not believed likely. Attacks against DH are considered just feasible (although very difficult) because most of the work necessary to deduce information about a private key may be performed offline. The amount of res [email protected] 5.9 15.93% 2017-05-04 2026-06-16
CVE-2017-3731 If an SSL/TLS server or client is running on a 32-bit host, and a specific cipher is being used, then a truncated packet can cause that server or client to perform an out-of-bounds read, usually resulting in a crash. For OpenSSL 1.1.0, the crash can be triggered when using CHACHA20/POLY1305; users should upgrade to 1.1.0d. For Openssl 1.0.2, the crash can be triggered when using RC4-MD5; users who have not disabled that algorithm should update to 1.0.2k. [email protected] 7.5 57.59% 2017-05-04 2026-06-16
CVE-2015-8860 The tar package before 2.0.0 for Node.js allows remote attackers to write to arbitrary files via a symlink attack in an archive. [email protected] 7.5 4.91% 2017-01-23 2026-06-16
CVE-2015-8855 The semver package before 4.3.2 for Node.js allows attackers to cause a denial of service (CPU consumption) via a long version string, aka a "regular expression denial of service (ReDoS)." [email protected] 7.5 6.49% 2017-01-23 2026-06-16
CVE-2014-9772 The validator package before 2.0.0 for Node.js allows remote attackers to bypass the cross-site scripting (XSS) filter via hex-encoded characters. [email protected] 6.1 2.62% 2017-01-23 2026-06-16
CVE-2013-7454 The validator module before 1.1.0 for Node.js allows remote attackers to bypass the cross-site scripting (XSS) filter via nested forbidden strings. [email protected] 6.1 1.86% 2017-01-23 2026-06-16
CVE-2013-7453 The validator module before 1.1.0 for Node.js allows remote attackers to bypass the cross-site scripting (XSS) filter via vectors related to UI redressing. [email protected] 6.1 1.86% 2017-01-23 2026-06-16
CVE-2013-7452 The validator module before 1.1.0 for Node.js allows remote attackers to bypass the cross-site scripting (XSS) filter via a crafted javascript URI. [email protected] 6.1 2.03% 2017-01-23 2026-06-16
CVE-2013-7451 The validator module before 1.1.0 for Node.js allows remote attackers to bypass the XSS filter via a nested tag. [email protected] 6.1 1.86% 2017-01-23 2026-06-16
CVE-2016-7099 The tls.checkServerIdentity function in Node.js 0.10.x before 0.10.47, 0.12.x before 0.12.16, 4.x before 4.6.0, and 6.x before 6.7.0 does not properly handle wildcards in name fields of X.509 certificates, which allows man-in-the-middle attackers to spoof servers via a crafted certificate. [email protected] 5.9 2.84% 2016-10-10 2026-06-16
CVE-2016-5325 CRLF injection vulnerability in the ServerResponse#writeHead function in Node.js 0.10.x before 0.10.47, 0.12.x before 0.12.16, 4.x before 4.6.0, and 6.x before 6.7.0 allows remote attackers to inject arbitrary HTTP headers and conduct HTTP response splitting attacks via the reason argument. [email protected] 6.1 4.11% 2016-10-10 2026-06-16
CVE-2016-5180 Heap-based buffer overflow in the ares_create_query function in c-ares 1.x before 1.12.0 allows remote attackers to cause a denial of service (out-of-bounds write) or possibly execute arbitrary code via a hostname with an escaped trailing dot. [email protected] 9.8 8.58% 2016-10-03 2026-06-16
CVE-2016-7052 crypto/x509/x509_vfy.c in OpenSSL 1.0.2i allows remote attackers to cause a denial of service (NULL pointer dereference and application crash) by triggering a CRL operation. [email protected] 7.5 30.22% 2016-09-26 2026-06-16
CVE-2016-6306 The certificate parser in OpenSSL before 1.0.1u and 1.0.2 before 1.0.2i might allow remote attackers to cause a denial of service (out-of-bounds read) via crafted certificate operations, related to s3_clnt.c and s3_srvr.c. [email protected] 5.9 41.68% 2016-09-26 2026-06-16
CVE-2016-6304 Multiple memory leaks in t1_lib.c in OpenSSL before 1.0.1u, 1.0.2 before 1.0.2i, and 1.1.0 before 1.1.0a allow remote attackers to cause a denial of service (memory consumption) via large OCSP Status Request extensions. [email protected] 7.5 63.03% 2016-09-26 2026-06-16
CVE-2016-5172 The parser in Google V8, as used in Google Chrome before 53.0.2785.113, mishandles scopes, which allows remote attackers to obtain sensitive information from arbitrary memory locations via crafted JavaScript code. [email protected] 6.5 1.88% 2016-09-25 2026-06-16
CVE-2016-6303 Integer overflow in the MDC2_Update function in crypto/mdc2/mdc2dgst.c in OpenSSL before 1.1.0 allows remote attackers to cause a denial of service (out-of-bounds write and application crash) or possibly have unspecified other impact via unknown vectors. [email protected] 9.8 31.99% 2016-09-16 2026-06-16
CVE-2016-2183 The DES and Triple DES ciphers, as used in the TLS, SSH, and IPSec protocols and other protocols and products, have a birthday bound of approximately four billion blocks, which makes it easier for remote attackers to obtain cleartext data via a birthday attack against a long-duration encrypted session, as demonstrated by an HTTPS session using Triple DES in CBC mode, aka a "Sweet32" attack. [email protected] 7.5 95.71% 2016-08-31 2026-06-16
cvelogic Threat Intelligence