Nodejs Node
96 CVEs affecting Nodejs Node. Latest disclosed: 2026-03-30. Critical: 0, High: 17.
| CVE | Severity | Score | Published | Summary |
|---|---|---|---|---|
CVE-2024-27983 | High | 8.2 | 2024-04-09 | An attacker can make the Node.js HTTP/2 server completely unavailable by sending a small amount of HTTP/2 frames packets with a few HTTP/2 frames inside. It is… |
CVE-2024-27980 | High | 8.1 | 2025-01-09 | Due to the improper handling of batch files in child_process.spawn / child_process.spawnSync, a malicious command line argument can inject arbitrary commands a… |
CVE-2024-36138 | High | 8.1 | 2024-09-07 | Bypass incomplete fix of CVE-2024-27980, that arises from improper handling of batch files with all possible extensions on Windows via child_process.spawn / ch… |
CVE-2024-21896 | High | 7.9 | 2024-02-20 | The permission model protects itself against path traversal attacks by calling path.resolve() on any paths given by the user. If the path is to be treated as a… |
CVE-2024-21891 | High | 7.9 | 2024-02-20 | Node.js depends on multiple built-in utility functions to normalize paths provided to node:fs functions, which can be overwitten with user-defined implementati… |
CVE-2025-23083 | High | 7.7 | 2025-01-22 | With the aid of the diagnostics_channel utility, an event can be hooked into whenever a worker thread is created. This is not limited only to workers but also… |
CVE-2023-39331 | High | 7.7 | 2023-10-18 | A previously disclosed vulnerability (CVE-2023-30584) was patched insufficiently in commit 205f1e6. The new path traversal vulnerability arises because the imp… |
CVE-2026-21710 | High | 7.5 | 2026-03-30 | A flaw in Node.js HTTP request handling causes an uncaught `TypeError` when a request is received with a header named `__proto__` and the application accesses… |
CVE-2025-59465 | High | 7.5 | 2026-01-20 | A malformed `HTTP/2 HEADERS` frame with oversized, invalid `HPACK` data can cause Node.js to crash by triggering an unhandled `TLSSocket` error `ECONNRESET`. I… |
CVE-2025-27210 | High | 7.5 | 2025-07-18 | An incomplete fix has been identified for CVE-2025-23084 in Node.js, specifically affecting Windows device names like CON, PRN, and AUX. This vulnerability… |
CVE-2025-27209 | High | 7.5 | 2025-07-18 | The V8 release used in Node.js v24.0.0 has changed how string hashes are computed using rapidhash. This implementation re-introduces the HashDoS vulnerability… |
CVE-2025-23166 | High | 7.5 | 2025-05-19 | The C++ method SignTraits::DeriveBits() may incorrectly call ThrowException() based on user-supplied inputs when executing in a background thread, crashing the… |
CVE-2024-22019 | High | 7.5 | 2024-02-20 | A vulnerability in Node.js HTTP servers allows an attacker to send a specially crafted HTTP request with chunked encoding, leading to resource exhaustion and d… |
CVE-2024-21892 | High | 7.5 | 2024-02-20 | On Linux, Node.js ignores certain environment variables if those may have been set by an unprivileged user while the process is running with elevated privilege… |
CVE-2024-22017 | High | 7.3 | 2024-03-19 | setuid() does not affect libuv's internal io_uring operations if initialized before the call to setuid(). This allows the process to perform privileged operati… |
CVE-2025-55131 | High | 7.1 | 2026-01-20 | A flaw in Node.js's buffer allocation logic can expose uninitialized memory when allocations are interrupted, when using the `vm` module with the timeout optio… |
CVE-2025-55130 | High | 7.1 | 2026-01-20 | A flaw in Node.js’s Permissions model allows attackers to bypass `--allow-fs-read` and `--allow-fs-write` restrictions using crafted relative symlink paths. By… |
CVE-2025-59464 | Medium | 6.5 | 2026-01-20 | A memory leak in Node.js’s OpenSSL integration occurs when converting `X.509` certificate fields to UTF-8 without freeing the allocated buffer. When applicatio… |
CVE-2025-23167 | Medium | 6.5 | 2025-05-19 | A flaw in Node.js 20's HTTP parser allows improper termination of HTTP/1 headers using `\r\n\rX` instead of the required `\r\n\r\n`. This inconsistency enables… |
CVE-2024-22020 | Medium | 6.5 | 2024-07-09 | A security flaw in Node.js allows a bypass of network import restrictions. By embedding non-network imports in data URLs, an attacker can execute arbitrary co… |