Node.js


18 total issues disclosed

$2,400 total paid publicly


Most disclosed (4 disclosures) — HTTP Request Smuggling

View disclosed reports



Disclosed Reports


Report Title Vulnerability Type Disclosed By Severity Disclosed on
HTTP Request Smuggling due to ignoring chunk extensions HTTP Request Smuggling mkg Medium 2021-11-02
HTTP Request Smuggling due to accepting space before colon HTTP Request Smuggling mkg Medium 2021-10-20
Built-in TLS module unexpectedly treats "rejectUnauthorized: undefined" as "rejectUnauthorized: false", disabling all certificate validation Improper Certificate Validation pimterry Low 2021-09-10
OOB read in libuv Buffer Over-read ericsesterhenn Medium 2021-07-05
Node Installer Local Privilege Escalation Privilege Escalation deepsurface-robert Medium 2021-07-01
HTTP Request Smuggling due to CR-to-Hyphen conversion HTTP Request Smuggling amitklein High 2020-10-17
Denial of Service by resource exhaustion CWE-400 due to unfinished HTTP/1.1 requests Denial of Service shogunpanda Critical 2020-10-17
Slowloris, body parsing Denial of Service underflow0 Low 2020-10-17
`fs.realpath.native` on darwin may cause buffer overflow Classic Buffer Overflow ashi009 Medium 2020-10-17
Malformed HTTP/2 SETTINGS frame leads to reachable assert Denial of Service jzebor Critical 2020-07-03
napi_get_value_string_X allow various kinds of memory corruption Memory Corruption - Generic tniessen High 2020-07-02
Node.js: TLS session reuse can lead to hostname verification bypass Man-in-the-Middle fwilhelm High 2020-06-03
HTTP request smuggling using malformed Transfer-Encoding header HTTP Request Smuggling erubinson Critical 2020-03-07
HTTP header values do not have trailing OWS trimmed Improper Input Validation alyssawilk High 2020-02-24
Remotely trigger an assertion on a TLS server with a malformed certificate string Improper Certificate Validation rogierschouten Critical 2020-02-06
Http request splitting HTTP Response Splitting arkadiyt Medium 2020-01-15
Your page has 2 blocking CSS resources. This causes a delay in rendering your page. Array Index Underflow joy271 Critical 2018-07-15
registry.nodejs.org Subdomain Takeover Man-in-the-Middle dade No rating 2018-05-04