Vulnerabilites related to nodejs - node
cve-2024-37372
Vulnerability from cvelistv5
Published
2025-01-09 00:33
Modified
2025-01-09 21:38
Severity ?
EPSS score ?
Summary
The Permission Model assumes that any path starting with two backslashes \ has a four-character prefix that can be ignored, which is not always true. This subtle bug leads to vulnerable edge cases.
References
Impacted products
{ containers: { adp: [ { metrics: [ { other: { content: { id: "CVE-2024-37372", options: [ { Exploitation: "none", }, { Automatable: "no", }, { "Technical Impact": "partial", }, ], role: "CISA Coordinator", timestamp: "2025-01-09T21:37:14.611469Z", version: "2.0.3", }, type: "ssvc", }, }, ], problemTypes: [ { descriptions: [ { cweId: "CWE-22", description: "CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')", lang: "en", type: "CWE", }, ], }, ], providerMetadata: { dateUpdated: "2025-01-09T21:38:02.105Z", orgId: "134c704f-9b21-4f2e-91b3-4a467353bcc0", shortName: "CISA-ADP", }, title: "CISA ADP Vulnrichment", }, ], cna: { affected: [ { defaultStatus: "unaffected", product: "node", vendor: "nodejs", versions: [ { lessThanOrEqual: "20.15.0", status: "affected", version: "20.15.0", versionType: "semver", }, { lessThanOrEqual: "22.4.0", status: "affected", version: "22.4.0", versionType: "semver", }, ], }, ], descriptions: [ { lang: "en", value: "The Permission Model assumes that any path starting with two backslashes \\ has a four-character prefix that can be ignored, which is not always true. This subtle bug leads to vulnerable edge cases.", }, ], metrics: [ { cvssV3_0: { baseScore: 3.6, baseSeverity: "LOW", vectorString: "CVSS:3.0/AV:L/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N", version: "3.0", }, }, ], providerMetadata: { dateUpdated: "2025-01-09T00:33:47.662Z", orgId: "36234546-b8fa-4601-9d6f-f4e334aa8ea1", shortName: "hackerone", }, references: [ { url: "http://www.openwall.com/lists/oss-security/2024/07/11/6", }, { url: "http://www.openwall.com/lists/oss-security/2024/07/19/3", }, ], }, }, cveMetadata: { assignerOrgId: "36234546-b8fa-4601-9d6f-f4e334aa8ea1", assignerShortName: "hackerone", cveId: "CVE-2024-37372", datePublished: "2025-01-09T00:33:47.662Z", dateReserved: "2024-06-07T01:04:06.869Z", dateUpdated: "2025-01-09T21:38:02.105Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2025-23085
Vulnerability from cvelistv5
Published
2025-02-07 07:09
Modified
2025-02-25 13:07
Severity ?
EPSS score ?
Summary
A memory leak could occur when a remote peer abruptly closes the socket without sending a GOAWAY notification. Additionally, if an invalid header was detected by nghttp2, causing the connection to be terminated by the peer, the same leak was triggered. This flaw could lead to increased memory consumption and potential denial of service under certain conditions.
This vulnerability affects HTTP/2 Server users on Node.js v18.x, v20.x, v22.x and v23.x.
References
Impacted products
{ containers: { adp: [ { metrics: [ { other: { content: { id: "CVE-2025-23085", options: [ { Exploitation: "none", }, { Automatable: "yes", }, { "Technical Impact": "partial", }, ], role: "CISA Coordinator", timestamp: "2025-02-07T15:50:24.935972Z", version: "2.0.3", }, type: "ssvc", }, }, ], problemTypes: [ { descriptions: [ { cweId: "CWE-401", description: "CWE-401 Missing Release of Memory after Effective Lifetime", lang: "en", type: "CWE", }, ], }, ], providerMetadata: { dateUpdated: "2025-02-07T15:57:11.221Z", orgId: "134c704f-9b21-4f2e-91b3-4a467353bcc0", shortName: "CISA-ADP", }, title: "CISA ADP Vulnrichment", }, { providerMetadata: { dateUpdated: "2025-02-25T13:07:47.090Z", orgId: "af854a3a-2127-422b-91ae-364da2661108", shortName: "CVE", }, references: [ { url: "https://lists.debian.org/debian-lts-announce/2025/02/msg00031.html", }, ], title: "CVE Program Container", }, ], cna: { affected: [ { defaultStatus: "unaffected", product: "node", vendor: "nodejs", versions: [ { lessThanOrEqual: "18.20.5", status: "affected", version: "18.20.5", versionType: "semver", }, { lessThanOrEqual: "20.18.1", status: "affected", version: "20.18.1", versionType: "semver", }, { lessThanOrEqual: "22.13.0", status: "affected", version: "22.13.0", versionType: "semver", }, { lessThanOrEqual: "23.6.0", status: "affected", version: "23.6.0", versionType: "semver", }, ], }, ], descriptions: [ { lang: "en", value: "A memory leak could occur when a remote peer abruptly closes the socket without sending a GOAWAY notification. Additionally, if an invalid header was detected by nghttp2, causing the connection to be terminated by the peer, the same leak was triggered. This flaw could lead to increased memory consumption and potential denial of service under certain conditions.\r\n\r\nThis vulnerability affects HTTP/2 Server users on Node.js v18.x, v20.x, v22.x and v23.x.", }, ], metrics: [ { cvssV3_0: { baseScore: 5.3, baseSeverity: "MEDIUM", vectorString: "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", version: "3.0", }, }, ], providerMetadata: { dateUpdated: "2025-02-07T07:09:25.804Z", orgId: "36234546-b8fa-4601-9d6f-f4e334aa8ea1", shortName: "hackerone", }, references: [ { url: "https://nodejs.org/en/blog/vulnerability/january-2025-security-releases", }, ], }, }, cveMetadata: { assignerOrgId: "36234546-b8fa-4601-9d6f-f4e334aa8ea1", assignerShortName: "hackerone", cveId: "CVE-2025-23085", datePublished: "2025-02-07T07:09:25.804Z", dateReserved: "2025-01-10T19:05:52.771Z", dateUpdated: "2025-02-25T13:07:47.090Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2025-23088
Vulnerability from cvelistv5
This Record was REJECTED after determining it is not in compliance with CVE Program requirements regarding assignment for vulnerabilities
Show details on NVD website{ containers: { cna: { providerMetadata: { dateUpdated: "2025-03-01T01:57:38.952Z", orgId: "36234546-b8fa-4601-9d6f-f4e334aa8ea1", shortName: "hackerone", }, rejectedReasons: [ { lang: "en", value: "This Record was REJECTED after determining it is not in compliance with CVE Program requirements regarding assignment for vulnerabilities", }, ], }, }, cveMetadata: { assignerOrgId: "36234546-b8fa-4601-9d6f-f4e334aa8ea1", assignerShortName: "hackerone", cveId: "CVE-2025-23088", datePublished: "2025-01-22T01:11:30.829Z", dateRejected: "2025-03-01T01:57:38.952Z", dateReserved: "2025-01-10T19:05:52.772Z", dateUpdated: "2025-03-01T01:57:38.952Z", state: "REJECTED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2025-23083
Vulnerability from cvelistv5
Published
2025-01-22 01:11
Modified
2025-02-28 13:07
Severity ?
EPSS score ?
Summary
With the aid of the diagnostics_channel utility, an event can be hooked into whenever a worker thread is created. This is not limited only to workers but also exposes internal workers, where an instance of them can be fetched, and its constructor can be grabbed and reinstated for malicious usage.
This vulnerability affects Permission Model users (--permission) on Node.js v20, v22, and v23.
References
Impacted products
{ containers: { adp: [ { metrics: [ { other: { content: { id: "CVE-2025-23083", options: [ { Exploitation: "none", }, { Automatable: "no", }, { "Technical Impact": "total", }, ], role: "CISA Coordinator", timestamp: "2025-01-28T04:55:27.327533Z", version: "2.0.3", }, type: "ssvc", }, }, ], problemTypes: [ { descriptions: [ { cweId: "CWE-284", description: "CWE-284 Improper Access Control", lang: "en", type: "CWE", }, ], }, ], providerMetadata: { dateUpdated: "2025-02-06T14:09:06.805Z", orgId: "134c704f-9b21-4f2e-91b3-4a467353bcc0", shortName: "CISA-ADP", }, title: "CISA ADP Vulnrichment", }, { providerMetadata: { dateUpdated: "2025-02-28T13:07:33.161Z", orgId: "af854a3a-2127-422b-91ae-364da2661108", shortName: "CVE", }, references: [ { url: "https://security.netapp.com/advisory/ntap-20250228-0008/", }, ], title: "CVE Program Container", }, ], cna: { affected: [ { defaultStatus: "unaffected", product: "node", vendor: "nodejs", versions: [ { lessThanOrEqual: "20.18.1", status: "affected", version: "20.18.1", versionType: "semver", }, { lessThanOrEqual: "22.13.0", status: "affected", version: "22.13.0", versionType: "semver", }, { lessThanOrEqual: "23.6.0", status: "affected", version: "23.6.0", versionType: "semver", }, ], }, ], descriptions: [ { lang: "en", value: "With the aid of the diagnostics_channel utility, an event can be hooked into whenever a worker thread is created. This is not limited only to workers but also exposes internal workers, where an instance of them can be fetched, and its constructor can be grabbed and reinstated for malicious usage. \r\n\r\nThis vulnerability affects Permission Model users (--permission) on Node.js v20, v22, and v23.", }, ], metrics: [ { cvssV3_0: { baseScore: 7.7, baseSeverity: "HIGH", vectorString: "CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N", version: "3.0", }, }, ], providerMetadata: { dateUpdated: "2025-01-22T01:11:30.802Z", orgId: "36234546-b8fa-4601-9d6f-f4e334aa8ea1", shortName: "hackerone", }, references: [ { url: "https://nodejs.org/en/blog/vulnerability/january-2025-security-releases", }, ], }, }, cveMetadata: { assignerOrgId: "36234546-b8fa-4601-9d6f-f4e334aa8ea1", assignerShortName: "hackerone", cveId: "CVE-2025-23083", datePublished: "2025-01-22T01:11:30.802Z", dateReserved: "2025-01-10T19:05:52.771Z", dateUpdated: "2025-02-28T13:07:33.161Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2024-36137
Vulnerability from cvelistv5
Published
2024-09-07 16:00
Modified
2024-11-22 12:04
Severity ?
EPSS score ?
Summary
A vulnerability has been identified in Node.js, affecting users of the experimental permission model when the --allow-fs-write flag is used.
Node.js Permission Model do not operate on file descriptors, however, operations such as fs.fchown or fs.fchmod can use a "read-only" file descriptor to change the owner and permissions of a file.
References
Impacted products
{ containers: { adp: [ { metrics: [ { other: { content: { id: "CVE-2024-36137", options: [ { Exploitation: "none", }, { Automatable: "no", }, { "Technical Impact": "partial", }, ], role: "CISA Coordinator", timestamp: "2024-09-09T18:06:27.696158Z", version: "2.0.3", }, type: "ssvc", }, }, ], problemTypes: [ { descriptions: [ { description: "CWE-noinfo Not enough information", lang: "en", type: "CWE", }, ], }, ], providerMetadata: { dateUpdated: "2024-11-01T19:10:09.954Z", orgId: "134c704f-9b21-4f2e-91b3-4a467353bcc0", shortName: "CISA-ADP", }, title: "CISA ADP Vulnrichment", }, { providerMetadata: { dateUpdated: "2024-11-22T12:04:50.713Z", orgId: "af854a3a-2127-422b-91ae-364da2661108", shortName: "CVE", }, references: [ { url: "https://security.netapp.com/advisory/ntap-20241122-0005/", }, ], title: "CVE Program Container", }, ], cna: { affected: [ { defaultStatus: "unaffected", product: "node", vendor: "nodejs", versions: [ { lessThanOrEqual: "20.15.0", status: "affected", version: "20.15.0", versionType: "semver", }, { lessThanOrEqual: "22.4.0", status: "affected", version: "22.4.0", versionType: "semver", }, ], }, ], descriptions: [ { lang: "en", value: "A vulnerability has been identified in Node.js, affecting users of the experimental permission model when the --allow-fs-write flag is used.\r\n\r\nNode.js Permission Model do not operate on file descriptors, however, operations such as fs.fchown or fs.fchmod can use a \"read-only\" file descriptor to change the owner and permissions of a file.", }, ], metrics: [ { cvssV3_0: { baseScore: 3.3, baseSeverity: "LOW", vectorString: "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N", version: "3.0", }, }, ], providerMetadata: { dateUpdated: "2024-09-07T16:00:35.999Z", orgId: "36234546-b8fa-4601-9d6f-f4e334aa8ea1", shortName: "hackerone", }, references: [ { url: "https://nodejs.org/en/blog/vulnerability/july-2024-security-releases", }, ], }, }, cveMetadata: { assignerOrgId: "36234546-b8fa-4601-9d6f-f4e334aa8ea1", assignerShortName: "hackerone", cveId: "CVE-2024-36137", datePublished: "2024-09-07T16:00:35.999Z", dateReserved: "2024-05-21T01:04:07.208Z", dateUpdated: "2024-11-22T12:04:50.713Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2025-23084
Vulnerability from cvelistv5
Published
2025-01-28 04:35
Modified
2025-01-28 15:08
Severity ?
EPSS score ?
Summary
A vulnerability has been identified in Node.js, specifically affecting the handling of drive names in the Windows environment. Certain Node.js functions do not treat drive names as special on Windows. As a result, although Node.js assumes a relative path, it actually refers to the root directory.
On Windows, a path that does not start with the file separator is treated as relative to the current directory.
This vulnerability affects Windows users of `path.join` API.
References
Impacted products
{ containers: { adp: [ { metrics: [ { other: { content: { id: "CVE-2025-23084", options: [ { Exploitation: "none", }, { Automatable: "no", }, { "Technical Impact": "partial", }, ], role: "CISA Coordinator", timestamp: "2025-01-28T15:07:59.235224Z", version: "2.0.3", }, type: "ssvc", }, }, ], problemTypes: [ { descriptions: [ { cweId: "CWE-22", description: "CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')", lang: "en", type: "CWE", }, ], }, ], providerMetadata: { dateUpdated: "2025-01-28T15:08:35.521Z", orgId: "134c704f-9b21-4f2e-91b3-4a467353bcc0", shortName: "CISA-ADP", }, title: "CISA ADP Vulnrichment", }, ], cna: { affected: [ { defaultStatus: "unaffected", product: "node", vendor: "nodejs", versions: [ { lessThanOrEqual: "18.20.5", status: "affected", version: "18.20.5", versionType: "semver", }, { lessThanOrEqual: "20.18.1", status: "affected", version: "20.18.1", versionType: "semver", }, { lessThanOrEqual: "22.13.0", status: "affected", version: "22.13.0", versionType: "semver", }, { lessThanOrEqual: "23.6.0", status: "affected", version: "23.6.0", versionType: "semver", }, ], }, ], descriptions: [ { lang: "en", value: "A vulnerability has been identified in Node.js, specifically affecting the handling of drive names in the Windows environment. Certain Node.js functions do not treat drive names as special on Windows. As a result, although Node.js assumes a relative path, it actually refers to the root directory.\r\n\r\nOn Windows, a path that does not start with the file separator is treated as relative to the current directory. \r\n\r\nThis vulnerability affects Windows users of `path.join` API.", }, ], metrics: [ { cvssV3_0: { baseScore: 5.6, baseSeverity: "MEDIUM", vectorString: "CVSS:3.0/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:L/A:N", version: "3.0", }, }, ], providerMetadata: { dateUpdated: "2025-01-28T04:35:15.236Z", orgId: "36234546-b8fa-4601-9d6f-f4e334aa8ea1", shortName: "hackerone", }, references: [ { url: "https://nodejs.org/en/blog/vulnerability/january-2025-security-releases", }, ], }, }, cveMetadata: { assignerOrgId: "36234546-b8fa-4601-9d6f-f4e334aa8ea1", assignerShortName: "hackerone", cveId: "CVE-2025-23084", datePublished: "2025-01-28T04:35:15.236Z", dateReserved: "2025-01-10T19:05:52.771Z", dateUpdated: "2025-01-28T15:08:35.521Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2025-23087
Vulnerability from cvelistv5
This Record was REJECTED after determining it is not in compliance with CVE Program requirements regarding assignment for vulnerabilities
Show details on NVD website{ containers: { cna: { providerMetadata: { dateUpdated: "2025-03-01T01:57:38.637Z", orgId: "36234546-b8fa-4601-9d6f-f4e334aa8ea1", shortName: "hackerone", }, rejectedReasons: [ { lang: "en", value: "This Record was REJECTED after determining it is not in compliance with CVE Program requirements regarding assignment for vulnerabilities", }, ], }, }, cveMetadata: { assignerOrgId: "36234546-b8fa-4601-9d6f-f4e334aa8ea1", assignerShortName: "hackerone", cveId: "CVE-2025-23087", datePublished: "2025-01-22T01:11:30.821Z", dateRejected: "2025-03-01T01:57:38.637Z", dateReserved: "2025-01-10T19:05:52.772Z", dateUpdated: "2025-03-01T01:57:38.637Z", state: "REJECTED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2025-23089
Vulnerability from cvelistv5
This Record was REJECTED after determining it is not in compliance with CVE Program requirements regarding assignment for vulnerabilities
Show details on NVD website{ containers: { cna: { providerMetadata: { dateUpdated: "2025-03-01T01:57:39.264Z", orgId: "36234546-b8fa-4601-9d6f-f4e334aa8ea1", shortName: "hackerone", }, rejectedReasons: [ { lang: "en", value: "This Record was REJECTED after determining it is not in compliance with CVE Program requirements regarding assignment for vulnerabilities", }, ], }, }, cveMetadata: { assignerOrgId: "36234546-b8fa-4601-9d6f-f4e334aa8ea1", assignerShortName: "hackerone", cveId: "CVE-2025-23089", datePublished: "2025-01-22T01:11:30.822Z", dateRejected: "2025-03-01T01:57:39.264Z", dateReserved: "2025-01-10T19:05:52.772Z", dateUpdated: "2025-03-01T01:57:39.264Z", state: "REJECTED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2024-36138
Vulnerability from cvelistv5
Published
2024-09-07 16:00
Modified
2024-11-08 15:02
Severity ?
EPSS score ?
Summary
Bypass incomplete fix of CVE-2024-27980, that arises from improper handling of batch files with all possible extensions on Windows via child_process.spawn / child_process.spawnSync. A malicious command line argument can inject arbitrary commands and achieve code execution even if the shell option is not enabled.
References
Impacted products
{ containers: { adp: [ { affected: [ { cpes: [ "cpe:2.3:a:nodejs:nodejs:*:*:*:*:*:*:*:*", ], defaultStatus: "unaffected", product: "nodejs", vendor: "nodejs", versions: [ { lessThan: "18.20.4", status: "affected", version: "18.0", versionType: "semver", }, { lessThan: "20.15.1", status: "affected", version: "20.0", versionType: "semver", }, { lessThan: "22.4.1", status: "affected", version: "22.0", versionType: "semver", }, ], }, ], metrics: [ { other: { content: { id: "CVE-2024-36138", options: [ { Exploitation: "none", }, { Automatable: "no", }, { "Technical Impact": "total", }, ], role: "CISA Coordinator", timestamp: "2024-09-09T17:53:28.236286Z", version: "2.0.3", }, type: "ssvc", }, }, ], problemTypes: [ { descriptions: [ { cweId: "CWE-77", description: "CWE-77 Improper Neutralization of Special Elements used in a Command ('Command Injection')", lang: "en", type: "CWE", }, ], }, ], providerMetadata: { dateUpdated: "2024-09-09T17:57:58.475Z", orgId: "134c704f-9b21-4f2e-91b3-4a467353bcc0", shortName: "CISA-ADP", }, title: "CISA ADP Vulnrichment", }, { providerMetadata: { dateUpdated: "2024-11-08T15:02:49.727Z", orgId: "af854a3a-2127-422b-91ae-364da2661108", shortName: "CVE", }, references: [ { url: "https://security.netapp.com/advisory/ntap-20241108-0010/", }, ], title: "CVE Program Container", }, ], cna: { affected: [ { defaultStatus: "unaffected", product: "node", vendor: "nodejs", versions: [ { lessThanOrEqual: "18.20.3", status: "affected", version: "18.20.3", versionType: "semver", }, { lessThanOrEqual: "20.15.0", status: "affected", version: "20.15.0", versionType: "semver", }, { lessThanOrEqual: "22.4.0", status: "affected", version: "22.4.0", versionType: "semver", }, ], }, ], descriptions: [ { lang: "en", value: "Bypass incomplete fix of CVE-2024-27980, that arises from improper handling of batch files with all possible extensions on Windows via child_process.spawn / child_process.spawnSync. A malicious command line argument can inject arbitrary commands and achieve code execution even if the shell option is not enabled.", }, ], metrics: [ { cvssV3_0: { baseScore: 8.1, baseSeverity: "HIGH", vectorString: "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", version: "3.0", }, }, ], providerMetadata: { dateUpdated: "2024-09-07T16:00:36.011Z", orgId: "36234546-b8fa-4601-9d6f-f4e334aa8ea1", shortName: "hackerone", }, references: [ { url: "https://nodejs.org/en/blog/vulnerability/july-2024-security-releases", }, ], }, }, cveMetadata: { assignerOrgId: "36234546-b8fa-4601-9d6f-f4e334aa8ea1", assignerShortName: "hackerone", cveId: "CVE-2024-36138", datePublished: "2024-09-07T16:00:36.011Z", dateReserved: "2024-05-21T01:04:07.208Z", dateUpdated: "2024-11-08T15:02:49.727Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }