Filtered by vendor Nodejs Subscriptions
Filtered by product Node.js Subscriptions
Total 157 CVE
CVE Vendors Products Updated CVSS v3.1
CVE-2016-2086 2 Fedoraproject, Nodejs 2 Fedora, Node.js 2025-04-12 N/A
Node.js 0.10.x before 0.10.42, 0.12.x before 0.12.10, 4.x before 4.3.0, and 5.x before 5.6.0 allow remote attackers to conduct HTTP request smuggling attacks via a crafted Content-Length HTTP header.
CVE-2016-2107 8 Canonical, Debian, Google and 5 more 18 Ubuntu Linux, Debian Linux, Android and 15 more 2025-04-12 5.9 Medium
The AES-NI implementation in OpenSSL before 1.0.1t and 1.0.2 before 1.0.2h does not consider memory allocation during a certain padding check, which allows remote attackers to obtain sensitive cleartext information via a padding-oracle attack against an AES CBC session. NOTE: this vulnerability exists because of an incorrect fix for CVE-2013-0169.
CVE-2016-2178 7 Canonical, Debian, Nodejs and 4 more 10 Ubuntu Linux, Debian Linux, Node.js and 7 more 2025-04-12 5.5 Medium
The dsa_sign_setup function in crypto/dsa/dsa_ossl.c in OpenSSL through 1.0.2h does not properly ensure the use of constant-time operations, which makes it easier for local users to discover a DSA private key via a timing side-channel attack.
CVE-2016-2183 6 Cisco, Nodejs, Openssl and 3 more 14 Content Security Management Appliance, Node.js, Openssl and 11 more 2025-04-12 7.5 High
The DES and Triple DES ciphers, as used in the TLS, SSH, and IPSec protocols and other protocols and products, have a birthday bound of approximately four billion blocks, which makes it easier for remote attackers to obtain cleartext data via a birthday attack against a long-duration encrypted session, as demonstrated by an HTTPS session using Triple DES in CBC mode, aka a "Sweet32" attack.
CVE-2016-5325 3 Nodejs, Redhat, Suse 4 Node.js, Openshift, Rhel Software Collections and 1 more 2025-04-12 N/A
CRLF injection vulnerability in the ServerResponse#writeHead function in Node.js 0.10.x before 0.10.47, 0.12.x before 0.12.16, 4.x before 4.6.0, and 6.x before 6.7.0 allows remote attackers to inject arbitrary HTTP headers and conduct HTTP response splitting attacks via the reason argument.
CVE-2016-5180 6 C-ares, C-ares Project, Canonical and 3 more 6 C-ares, C-ares, Ubuntu Linux and 3 more 2025-04-12 9.8 Critical
Heap-based buffer overflow in the ares_create_query function in c-ares 1.x before 1.12.0 allows remote attackers to cause a denial of service (out-of-bounds write) or possibly execute arbitrary code via a hostname with an escaped trailing dot.
CVE-2016-6304 4 Nodejs, Novell, Openssl and 1 more 11 Node.js, Suse Linux Enterprise Module For Web Scripting, Openssl and 8 more 2025-04-12 7.5 High
Multiple memory leaks in t1_lib.c in OpenSSL before 1.0.1u, 1.0.2 before 1.0.2i, and 1.1.0 before 1.1.0a allow remote attackers to cause a denial of service (memory consumption) via large OCSP Status Request extensions.
CVE-2016-6306 7 Canonical, Debian, Hp and 4 more 11 Ubuntu Linux, Debian Linux, Icewall Federation Agent and 8 more 2025-04-12 5.9 Medium
The certificate parser in OpenSSL before 1.0.1u and 1.0.2 before 1.0.2i might allow remote attackers to cause a denial of service (out-of-bounds read) via crafted certificate operations, related to s3_clnt.c and s3_srvr.c.
CVE-2016-7052 3 Nodejs, Novell, Openssl 3 Node.js, Suse Linux Enterprise Module For Web Scripting, Openssl 2025-04-12 7.5 High
crypto/x509/x509_vfy.c in OpenSSL 1.0.2i allows remote attackers to cause a denial of service (NULL pointer dereference and application crash) by triggering a CRL operation.
CVE-2023-44487 32 Akka, Amazon, Apache and 29 more 364 Http Server, Opensearch Data Prepper, Apisix and 361 more 2025-04-12 7.5 High
The HTTP/2 protocol allows a denial of service (server resource consumption) because request cancellation can reset many streams quickly, as exploited in the wild in August through October 2023.
CVE-2013-2882 4 Debian, Google, Nodejs and 1 more 6 Debian Linux, Chrome, Node.js and 3 more 2025-04-11 N/A
Google V8, as used in Google Chrome before 28.0.1500.95, allows remote attackers to cause a denial of service or possibly have unspecified other impact via vectors that leverage "type confusion."
CVE-2023-23936 2 Nodejs, Redhat 4 Node.js, Undici, Enterprise Linux and 1 more 2025-03-11 6.5 Medium
Undici is an HTTP/1.1 client for Node.js. Starting with version 2.0.0 and prior to version 5.19.1, the undici library does not protect `host` HTTP header from CRLF injection vulnerabilities. This issue is patched in Undici v5.19.1. As a workaround, sanitize the `headers.host` string before passing to undici.
CVE-2019-9516 12 Apache, Apple, Canonical and 9 more 24 Traffic Server, Mac Os X, Swiftnio and 21 more 2025-01-14 6.5 Medium
Some HTTP/2 implementations are vulnerable to a header leak, potentially leading to a denial of service. The attacker sends a stream of headers with a 0-length header name and 0-length header value, optionally Huffman encoded into 1-byte or greater headers. Some implementations allocate memory for these headers and keep the allocation alive until the session dies. This can consume excess memory.
CVE-2019-9518 11 Apache, Apple, Canonical and 8 more 26 Traffic Server, Mac Os X, Swiftnio and 23 more 2025-01-14 7.5 High
Some HTTP/2 implementations are vulnerable to a flood of empty frames, potentially leading to a denial of service. The attacker sends a stream of frames with an empty payload and without the end-of-stream flag. These frames can be DATA, HEADERS, CONTINUATION and/or PUSH_PROMISE. The peer spends time processing each frame disproportionate to attack bandwidth. This can consume excess CPU.
CVE-2019-9517 12 Apache, Apple, Canonical and 9 more 28 Http Server, Traffic Server, Mac Os X and 25 more 2025-01-14 7.5 High
Some HTTP/2 implementations are vulnerable to unconstrained interal data buffering, potentially leading to a denial of service. The attacker opens the HTTP/2 window so the peer can send without constraint; however, they leave the TCP window closed so the peer cannot actually write (many of) the bytes on the wire. The attacker then sends a stream of requests for a large response object. Depending on how the servers queue the responses, this can consume excess memory, CPU, or both.
CVE-2019-9511 12 Apache, Apple, Canonical and 9 more 29 Traffic Server, Mac Os X, Swiftnio and 26 more 2025-01-14 7.5 High
Some HTTP/2 implementations are vulnerable to window size manipulation and stream prioritization manipulation, potentially leading to a denial of service. The attacker requests a large amount of data from a specified resource over multiple streams. They manipulate window size and stream priority to force the server to queue the data in 1-byte chunks. Depending on how efficiently this data is queued, this can consume excess CPU, memory, or both.
CVE-2019-9513 12 Apache, Apple, Canonical and 9 more 25 Traffic Server, Mac Os X, Swiftnio and 22 more 2025-01-14 7.5 High
Some HTTP/2 implementations are vulnerable to resource loops, potentially leading to a denial of service. The attacker creates multiple request streams and continually shuffles the priority of the streams in a way that causes substantial churn to the priority tree. This can consume excess CPU.
CVE-2019-9514 13 Apache, Apple, Canonical and 10 more 44 Traffic Server, Mac Os X, Swiftnio and 41 more 2025-01-14 7.5 High
Some HTTP/2 implementations are vulnerable to a reset flood, potentially leading to a denial of service. The attacker opens a number of streams and sends an invalid request over each stream that should solicit a stream of RST_STREAM frames from the peer. Depending on how the peer queues the RST_STREAM frames, this can consume excess memory, CPU, or both.
CVE-2019-9515 12 Apache, Apple, Canonical and 9 more 36 Traffic Server, Mac Os X, Swiftnio and 33 more 2025-01-14 7.5 High
Some HTTP/2 implementations are vulnerable to a settings flood, potentially leading to a denial of service. The attacker sends a stream of SETTINGS frames to the peer. Since the RFC requires that the peer reply with one acknowledgement per SETTINGS frame, an empty SETTINGS frame is almost equivalent in behavior to a ping. Depending on how efficiently this data is queued, this can consume excess CPU, memory, or both.
CVE-2018-12121 2 Nodejs, Redhat 9 Node.js, Enterprise Linux, Enterprise Linux Desktop and 6 more 2024-12-27 7.5 High
Node.js: All versions prior to Node.js 6.15.0, 8.14.0, 10.14.0 and 11.3.0: Denial of Service with large HTTP headers: By using a combination of many requests with maximum sized headers (almost 80 KB per connection), and carefully timed completion of the headers, it is possible to cause the HTTP server to abort from heap allocation failure. Attack potential is mitigated by the use of a load balancer or other proxy layer.