Node.js Program Statistics

View program

117 total issues disclosed

$3,150 total paid publicly

Most disclosed (14 disclosures) — Privilege Escalation

Disclosed Reports

Report Title Vulnerability Type Disclosed By Severity Disclosed on
NULL pointer dereference in node:sqlite DatabaseSync#applyChangeset() via malformed SQLite changeset NULL Pointer Dereference junius High 2026-05-23
Memory Corruption via TOCTOU Race in SharedArrayBuffer UTF-8 Decode (`StringBytes::Encode`) Time-of-check Time-of-use (TOCTOU) Race Condition v1ct0rv0nd00m High 2026-05-23
Incomplete fix for CVE-2026-21637: loadSNI() in _tls_wrap.js lacks try/catch leading to Remote DoS None supplied mbarbs High 2026-04-23
HashDoS in V8 Cryptographic Issues - Generic sharp_edged Medium 2026-03-30
Permission Model Bypass in realpathSync.native Allows File Existence Disclosure Information Disclosure stif Low 2026-03-30
Timing side-channel in HMAC verification via memcmp() in crypto_hmac.cc leads to potential MAC forgery Cryptographic Issues - Generic x_probe Medium 2026-03-30
Node.js Permission Model bypass: UDS server bind/listen works without `--allow-net` Improper Access Control - Generic xavlimsg Medium 2026-03-30
Denial of Service via `__proto__` header name in `req.headersDistinct` (Uncaught `TypeError` crashes Node.js process) Uncontrolled Resource Consumption yushengchen High 2026-03-30
CVE-2024-36137 Patch Bypass - FileHandle.chmod/chown Improper Access Control - Generic wooseokdotkim Low 2026-03-30
Memory leak in Node.js HTTP/2 server via WINDOW_UPDATE on stream 0 leads to resource exhaustion Missing Release of Memory after Effective Lifetime galbarnahum Medium 2026-03-30
Assertion error in node_url.cc via malformed URL format leads to Node.js crash Reachable Assertion rafaelgss Medium 2026-03-26
Unbounded decompression chain in HTTP responses on Node.js Fetch API via Content-Encoding leads to resource exhaustion None supplied illia-v No rating 2026-02-23
TLS PSK/ALPN Callback Exceptions Bypass Error Handlers, Causing DoS and FD Leak Uncontrolled Resource Consumption 0xmaxhax Medium 2026-02-12
Node.js permission model bypass via unchecked Unix Domain Socket connections (UDS) Server-Side Request Forgery (SSRF) winfunc Medium 2026-02-12
Uncatchable "Maximum call stack size exceeded" error on Node.js via async_hooks leads to process crashes bypassing error handlers Improper Handling of Exceptional Conditions aaron_vercel Medium 2026-02-12
Memory leak that enables remote Denial of Service against applications processing TLS client certificates Uncontrolled Resource Consumption giant_anteater Medium 2026-02-12
Timeout-based race conditions make Uint8Array/Buffer.alloc non-zerofilled Improper Initialization chalker High 2026-02-12
FS Permissions Bypass Violation of Secure Design Principles natann High 2026-02-12
fs.futimes() Bypasses Read-Only Permission Model Improper Access Control - Generic oriotie Low 2026-01-15
Missing AES-GCM Authentication Tag Validation and Improper Deprecation Handling Missing Required Cryptographic Step sideni High 2025-12-19
CWE-195 in ExternalMemoryAccounter::Increase() None supplied codingthunder No rating 2025-08-26
Windows Device Names Still Allow Path Traversal in UNC Paths After CVE-2025-27210 Fix Path Traversal oblivionsage High 2025-07-28
HashDoS in V8 Cryptographic Issues - Generic sharp_edged High 2025-07-15
Windows Device Names (CON, PRN, AUX) Bypass Path Traversal Protection in path.normalize() Path Traversal oblivionsage High 2025-07-15
Improper HTTP header block termination in llhttp HTTP Request Smuggling kenballus Medium 2025-06-13
WASI sandbox escape via symlink Privilege Escalation jessewilson Medium 2025-05-24
Corrupted pointer in node::fs::ReadFileUtf8(const FunctionCallbackInfo<Value>& args) when args[0] is a string. Memory Corruption - Generic justinnietzel Low 2025-05-15
Improper error handling in async cryptographic operations crashes process Cryptographic Issues - Generic tniessen High 2025-05-14
GOAWAY HTTP/2 frames cause memory leak outside heap Uncontrolled Resource Consumption newtmitch Medium 2025-02-06
Path traversal by drive name in Windows environment Path Traversal taise Medium 2025-01-27
Usage of unsafe random function in undici for choosing boundary Use of Insufficiently Random Values parrot409 Medium 2025-01-23
Worker permission bypass via InternalWorker leak in diagnostics Improper Access Control - Generic leodog896 High 2025-01-21
Permissions can be bypassed via arbitrary code execution through abusing libuv signal pipes Privilege Escalation xion No rating 2024-08-08
Permission model improperly processes UNC paths Privilege Escalation tniessen Low 2024-07-15
fs.lstat bypasses permission model Privilege Escalation haxatron1 Low 2024-07-09
Bypass incomplete fix of CVE-2024-27980 Command Injection - Generic tianst High 2024-07-09
fs.fchown/fchmod bypasses permission model Improper Access Control - Generic 4xpl0r3r Low 2024-07-09
Bypass network import restriction via data URL Improper Access Control - Generic dittyroma Medium 2024-07-08
fetch with integrity option is too lax when algorithm is specified but hash value is in incorrect Violation of Secure Design Principles uzlopak No rating 2024-05-03
Proxy-Authorization header not cleared on cross-origin redirect in undici.request Insufficiently Protected Credentials iylz Low 2024-05-03
HTTP Request Smuggling via Content Length Obfuscation HTTP Request Smuggling bpingel Medium 2024-05-03
"Assertion failed" in node::http2::Http2Session::~Http2Session() leads to HTTP/2 server crash Uncontrolled Resource Consumption bart High 2024-04-08
Denial of Service by resource exhaustion in fetch() brotli decoding Uncontrolled Resource Consumption maple3142 Medium 2024-03-16
setuid() does not drop all privileges due to io_uring Privilege Escalation valette High 2024-03-16
Proxy-Authorization header is not cleared in cross-domain redirect in undici Information Disclosure timon8 Low 2024-03-12
Path traversal by monkey-patching Buffer internals Path Traversal tniessen High 2024-02-15
Improper handling of wildcards in --allow-fs-read and --allow-fs-write Improper Access Control - Generic tniessen Medium 2024-02-15
Code injection and privilege escalation through Linux capabilities Privilege Escalation tniessen High 2024-02-15
Node.js is vulnerable to the Marvin Attack (timing variant of the Bleichenbacher attack against PKCS#1 v1.5 padding) Use of a Broken or Risky Cryptographic Algorithm hkario Medium 2024-02-15
http: Reading unprocessed HTTP request with unbounded chunk extension allows DoS attacks Uncontrolled Resource Consumption bart High 2024-02-15
Multiple permission model bypasses due to improper path traversal sequence sanitization Path Traversal xion High 2024-02-15
Path traversal through path stored in Uint8Array Path Traversal tniessen High 2023-10-13
Permission model improperly protects against path traversal Path Traversal tniessen High 2023-10-13
Integrity checks according to policies can be circumvented Insufficient Verification of Data Authenticity tniessen Medium 2023-10-13
process.binding() can bypass the permission model through path traversal Path Traversal rafaelgss High 2023-09-10
fs.statfs bypasses Permission Model Improper Access Control - Generic rafaelgss Low 2023-09-10
Dependency Policy Bypass via process.binding Privilege Escalation leodog896 Medium 2023-08-23
Permissions policies can be bypassed via Module._load. Privilege Escalation mattaustin High 2023-08-16
Renaming/aliasing relative symbolic links potentially redirects them to supposedly inaccessible locations Privilege Escalation tniessen Medium 2023-08-15
fs.mkdtemp() and fs.mkdtempSync() are missing getValidatedPath() checks. Path Traversal haxatron1 Low 2023-08-11
Permission model bypass by specifying a path traversal sequence in a buffer, Path Traversal haxatron1 High 2023-08-11
Policy-restricted modules can escalate to higher privileges by impersonating other modules in a policy list using module.constructor.createRequire() Privilege Escalation haxatron1 Medium 2023-08-11
DNS rebinding in --inspect (again) via invalid IP addresses OS Command Injection haxatron1 High 2023-08-11
Node 18 reads openssl.cnf from /home/iojs/build/... upon startup. Cryptographic Issues - Generic msvrmiscovet Medium 2023-08-11
DiffieHellman doesn't generate keys after setting a key Inconsistency Between Implementation and Documented Design bensmyth Medium 2023-07-20
node.js process aborts when processing x509 certs with invalid public key information Uncontrolled Resource Consumption m_r_beauchamp Medium 2023-07-20
Process-based permissions can be bypassed with the "inspector" module. Improper Access Control - Generic mattaustin High 2023-07-20
Filesystem experimental permissions policy does not handle path traversal cases. Path Traversal haxatron1 High 2023-07-20
fs.openAsBlob() bypasses permission system Improper Access Control - Generic cjihrig Medium 2023-07-20
fs module's file watching is not restricted by --allow-fs-read Improper Access Control - Generic cjihrig Medium 2023-07-20
The use of __proto__ in process.mainModule.__proto__.require() bypasses the permission system in Node v19.6.1 Privilege Escalation haxatron1 High 2023-07-20
OpenSSL engines can be used to bypass and/or disable the permission model Privilege Escalation tniessen Medium 2023-06-22
HTTP Request Smuggling via Empty headers separated by CR HTTP Request Smuggling yadhukrishnam Medium 2023-06-20
Permissions policies can be bypassed via process.mainModule Privilege Escalation goums High 2023-03-19
Regular Expression Denial of Service in Headers Uncontrolled Resource Consumption sno2 Low 2023-03-19
Insecure loading of ICU data through ICU_DATA environment variable None supplied bnoordhuis Low 2023-03-19
CRLF Injection in Nodejs ‘undici’ via host CRLF Injection timon8 Medium 2023-02-22
Multiple OpenSSL error handling issues in nodejs crypto library Cryptographic Issues - Generic mjones-vsat Medium 2023-02-17
Take over subdomain undici.nodejs.org.cdn.cloudflare.net Array Index Underflow algisec1337 Medium 2023-01-11
DNS rebinding in --inspect via invalid octal IP address OS Command Injection haxatron1 Medium 2022-12-07
Weak randomness in WebCrypto keygen Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG) bnoordhuis High 2022-10-26
HTTP Request Smuggling Due to Incorrect Parsing of Header Fields HTTP Request Smuggling vvx7 Medium 2022-10-26
CVE-2022-32213 bypass via obs-fold mechanic HTTP Request Smuggling haxatron1 Medium 2022-10-26
Node 18 reads openssl.cnf from /home/iojs/build/... upon startup on MacOS Cryptographic Issues - Generic mhdawson Medium 2022-10-26
HTTP Request Smuggling Due to Incorrect Parsing of Multi-line Transfer-Encoding (improper fix for CVE-2022-32215) HTTP Request Smuggling shacharm Medium 2022-10-26
DNS rebinding in --inspect (insufficient fix of CVE-2022-32212 affecting macOS devices) Improper Access Control - Generic zeyu2001 High 2022-09-28
Off-by-slash vulnerability in nodejs.org and iojs.org Path Traversal nagaro Medium 2022-08-24
Undici does not use CONNECT or otherwise validate upstream HTTPS certificates when using a proxy Improper Certificate Validation pimterry High 2022-07-13
HTTP Request Smuggling Due to Flawed Parsing of Transfer-Encoding HTTP Request Smuggling zeyu2001 Medium 2022-07-07
HTTP Request Smuggling Due To Improper Delimiting of Header Fields HTTP Request Smuggling zeyu2001 Medium 2022-07-07
HTTP Request Smuggling Due to Incorrect Parsing of Multi-line Transfer-Encoding HTTP Request Smuggling zeyu2001 Medium 2022-07-07
Node.js Certificate Verification Bypass via String Injection Improper Following of a Certificate's Chain of Trust bengl Medium 2022-02-10
Prototype pollution via console.table properties Modification of Assumed-Immutable Data (MAID) rugvip Low 2022-01-11
HTTP Request Smuggling due to ignoring chunk extensions HTTP Request Smuggling mkg Medium 2021-11-02
HTTP Request Smuggling due to accepting space before colon HTTP Request Smuggling mkg Medium 2021-10-20
Improper handling of untypical characters in domain names Improper Null Termination philippjeitner High 2021-09-10
Built-in TLS module unexpectedly treats "rejectUnauthorized: undefined" as "rejectUnauthorized: false", disabling all certificate validation Improper Certificate Validation pimterry Low 2021-09-10
OOB read in libuv Buffer Over-read ericsesterhenn Medium 2021-07-05
Node Installer Local Privilege Escalation Privilege Escalation deepsurface-robert Medium 2021-07-01
Unexpected input validation of octal literals in nodejs v15.12.0 and below returns defined values for all undefined octal literals. Use of Inherently Dangerous Function sickcodes Critical 2021-06-14
HTTP2 'unknownProtocol' cause Denial of Service by resource exhaustion Uncontrolled Resource Consumption omicronenergy Critical 2021-03-15
DNS rebinding in --inspect (insufficient fix of CVE-2018-7160) Improper Access Control - Generic v6ak High 2021-02-23
Node.js: use-after-free in TLSWrap Use After Free fwilhelm High 2021-01-05
DNS Max Responses for DOS Uncontrolled Resource Consumption zeus1999 High 2020-12-16
HTTP Request Smuggling due to CR-to-Hyphen conversion HTTP Request Smuggling amitklein High 2020-10-17
Denial of Service by resource exhaustion CWE-400 due to unfinished HTTP/1.1 requests Denial of Service shogunpanda Critical 2020-10-17
Slowloris, body parsing Denial of Service underflow0 Low 2020-10-17
`fs.realpath.native` on darwin may cause buffer overflow Classic Buffer Overflow ashi009 Medium 2020-10-17
Malformed HTTP/2 SETTINGS frame leads to reachable assert Denial of Service jzebor Critical 2020-07-03
napi_get_value_string_X allow various kinds of memory corruption Memory Corruption - Generic tniessen High 2020-07-02
Node.js: TLS session reuse can lead to hostname verification bypass Man-in-the-Middle fwilhelm High 2020-06-03
HTTP request smuggling using malformed Transfer-Encoding header HTTP Request Smuggling erubinson Critical 2020-03-07
HTTP header values do not have trailing OWS trimmed Improper Input Validation alyssawilk High 2020-02-24
Remotely trigger an assertion on a TLS server with a malformed certificate string Improper Certificate Validation rogierschouten Critical 2020-02-06
Http request splitting HTTP Response Splitting arkadiyt Medium 2020-01-15
Your page has 2 blocking CSS resources. This causes a delay in rendering your page. Array Index Underflow joy271 Critical 2018-07-15
registry.nodejs.org Subdomain Takeover Man-in-the-Middle dade No rating 2018-05-04