VulnerableCode Package Details - pkg:apk/alpine/nodejs@18.14.1-r0?arch=aarch64&distroversion=v3.21&reponame=main

Search for packages

Vulnerability	Summary	Fixed by
This package is not known to be affected by vulnerabilities.

Vulnerability

Summary

Fixed by

This package is not known to be affected by vulnerabilities.

Vulnerability	Summary	Aliases
VCID-7nnu-jtjx-u3ff	Node.js: Permissions policies can be bypassed via process.mainModule	CVE-2023-23918
VCID-8myg-sjwy-yqfp	Node.js: OpenSSL error handling issues in nodejs crypto library	CVE-2023-23919
VCID-dtvs-pgam-qkbp	CRLF Injection in Nodejs ‘undici’ via host Undici is an HTTP/1.1 client for Node.js. Starting with version 2.0.0 and prior to version 5.19.1, the undici library does not protect `host` HTTP header from CRLF injection vulnerabilities. This issue is patched in Undici v5.19.1. As a workaround, sanitize the `headers.host` string before passing to undici.	CVE-2023-23936 GHSA-5r9g-qh6m-jxff
VCID-hnjv-fp2r-vqfq	Node.js: insecure loading of ICU data through ICU_DATA environment variable	CVE-2023-23920
VCID-vh17-44d1-kyf7	Regular Expression Denial of Service in Headers Undici is an HTTP/1.1 client for Node.js. Prior to version 5.19.1, the `Headers.set()` and `Headers.append()` methods is vulnerable to Regular Expression Denial of Service (ReDoS) attacks when untrusted values are passed into the functions. This is due to the inefficient regular expression used to normalize the values in the `headerValueNormalize()` utility function. This vulnerability was patched in v5.19.1. No known workarounds are available.	CVE-2023-24807 GHSA-r6ch-mqf9-qc9w

Vulnerability

Summary

Aliases

VCID-7nnu-jtjx-u3ff

Node.js: Permissions policies can be bypassed via process.mainModule

CVE-2023-23918

VCID-8myg-sjwy-yqfp

Node.js: OpenSSL error handling issues in nodejs crypto library

CVE-2023-23919

VCID-dtvs-pgam-qkbp

CRLF Injection in Nodejs ‘undici’ via host Undici is an HTTP/1.1 client for Node.js. Starting with version 2.0.0 and prior to version 5.19.1, the undici library does not protect `host` HTTP header from CRLF injection vulnerabilities. This issue is patched in Undici v5.19.1. As a workaround, sanitize the `headers.host` string before passing to undici.

CVE-2023-23936
GHSA-5r9g-qh6m-jxff

VCID-hnjv-fp2r-vqfq

Node.js: insecure loading of ICU data through ICU_DATA environment variable

CVE-2023-23920

VCID-vh17-44d1-kyf7

Regular Expression Denial of Service in Headers Undici is an HTTP/1.1 client for Node.js. Prior to version 5.19.1, the `Headers.set()` and `Headers.append()` methods is vulnerable to Regular Expression Denial of Service (ReDoS) attacks when untrusted values are passed into the functions. This is due to the inefficient regular expression used to normalize the values in the `headerValueNormalize()` utility function. This vulnerability was patched in v5.19.1. No known workarounds are available.

CVE-2023-24807
GHSA-r6ch-mqf9-qc9w

Date	Actor	Action	Vulnerability	Source	VulnerableCode Version
2026-04-06T04:51:49.084890+00:00	Alpine Linux Importer	Fixing	VCID-hnjv-fp2r-vqfq	https://secdb.alpinelinux.org/v3.21/main.json	38.1.0
2026-04-03T17:55:05.787419+00:00	Alpine Linux Importer	Fixing	VCID-dtvs-pgam-qkbp	https://secdb.alpinelinux.org/v3.21/main.json	38.1.0
2026-04-01T19:10:44.169381+00:00	Alpine Linux Importer	Fixing	VCID-vh17-44d1-kyf7	https://secdb.alpinelinux.org/v3.21/main.json	38.0.0
2026-04-01T19:09:10.026716+00:00	Alpine Linux Importer	Fixing	VCID-7nnu-jtjx-u3ff	https://secdb.alpinelinux.org/v3.21/main.json	38.0.0
2026-04-01T19:03:16.387254+00:00	Alpine Linux Importer	Fixing	VCID-8myg-sjwy-yqfp	https://secdb.alpinelinux.org/v3.21/main.json	38.0.0