Search for packages
| purl | pkg:deb/debian/nodejs@0.10.29~dfsg-2 |
| Next non-vulnerable version | 20.19.2+dfsg-1 |
| Latest non-vulnerable version | 20.19.2+dfsg-1 |
| Risk | 10.0 |
| Vulnerability | Summary | Fixed by |
|---|---|---|
|
VCID-17k5-vadp-4kby
Aliases: CVE-2020-11080 |
nghttp2: overly large SETTINGS frames can lead to DoS |
Affected by 31 other vulnerabilities. |
|
VCID-1bhj-vafz-4ya8
Aliases: CVE-2018-12122 |
Multiple vulnerabilities have been found in Node.js, worst of which could allow remote attackers to write arbitrary files. |
Affected by 31 other vulnerabilities. |
|
VCID-1ghj-acr4-tkat
Aliases: CVE-2016-2216 |
Multiple vulnerabilities have been found in Node.js, the worst of which can allow remote attackers to cause Denial of Service conditions. |
Affected by 55 other vulnerabilities. |
|
VCID-2z1f-7jkw-17av
Aliases: CVE-2024-27982 |
Multiple vulnerabilities have been discovered in Node.js, the worst of which could lead to execution of arbitrary code. |
Affected by 14 other vulnerabilities. |
|
VCID-3vdn-6af1-k3g6
Aliases: CVE-2018-7161 |
Multiple vulnerabilities have been found in Node.js, worst of which could allow remote attackers to write arbitrary files. |
Affected by 31 other vulnerabilities. |
|
VCID-4cbr-u3tr-pfdr
Aliases: CVE-2016-7099 |
nodejs: wildcard certificates not properly validated |
Affected by 55 other vulnerabilities. |
|
VCID-4dhf-bpv6-a3e1
Aliases: CVE-2019-15604 |
Multiple vulnerabilities have been found in Node.js, worst of which could allow remote attackers to write arbitrary files. |
Affected by 31 other vulnerabilities. |
|
VCID-4khc-2nz3-ckhr
Aliases: CVE-2018-7164 |
Multiple vulnerabilities have been found in Node.js, worst of which could allow remote attackers to write arbitrary files. |
Affected by 31 other vulnerabilities. |
|
VCID-53xm-8w84-93cx
Aliases: CVE-2021-22930 |
Multiple vulnerabilities have been found in c-ares, the worst of which could result in the loss of confidentiality or integrity. |
Affected by 25 other vulnerabilities. |
|
VCID-5cf7-va9h-h3gy
Aliases: CVE-2021-44531 |
Improper Certificate Validation Accepting arbitrary Subject Alternative Name (SAN) types, unless a PKI is specifically defined to use a particular SAN type, can result in bypassing name-constrained intermediates. Node.js < 12.22.9, < 14.18.3, < 16.13.2, and < 17.3.1 was accepting URI SAN types, which PKIs are often not defined to use. Additionally, when a protocol allows URI SANs, Node.js does not match the URI correctly.Versions of Node.js with the fix for this disable the URI SAN type when checking a certificate against a hostname. This behavior can be reverted through the --security-revert command-line option. |
Affected by 25 other vulnerabilities. |
|
VCID-6uyn-fy9v-c3gx
Aliases: CVE-2015-7384 |
Uncontrolled Resource Consumption Node.js allows remote attackers to cause a denial of service. |
Affected by 55 other vulnerabilities. |
|
VCID-7tpb-9zrz-e7e1
Aliases: CVE-2022-32212 |
Multiple vulnerabilities have been discovered in Node.js. |
Affected by 25 other vulnerabilities. |
|
VCID-8c4g-fjsa-nkhw
Aliases: CVE-2022-32214 GHSA-q5vx-44v4-gch4 |
llhttp allows HTTP Request Smuggling via Improper Delimiting of Header Fields The llhttp parser in the http module in Node.js does not strictly use the CRLF sequence to delimit HTTP requests. The LF character (without CR) is sufficient to delimit HTTP header fields in the lihttp parser. According to RFC7230 section 3, only the CRLF sequence should delimit each header-field. This can lead to HTTP Request Smuggling (HRS). |
Affected by 25 other vulnerabilities. |
|
VCID-8m9d-ah96-d7cg
Aliases: CVE-2015-8027 |
Multiple vulnerabilities have been found in Node.js, the worst of which can allow remote attackers to cause Denial of Service conditions. |
Affected by 55 other vulnerabilities. |
|
VCID-9g7s-y7nq-xfbb
Aliases: CVE-2021-22939 |
Multiple vulnerabilities have been found in c-ares, the worst of which could result in the loss of confidentiality or integrity. |
Affected by 25 other vulnerabilities. |
|
VCID-9hzg-r1fj-pubf
Aliases: CVE-2019-9513 |
Excessive CPU usage in HTTP/2 with priority changes |
Affected by 31 other vulnerabilities. |
|
VCID-9tvd-qsp8-byfx
Aliases: CVE-2019-5739 |
Multiple vulnerabilities have been found in Node.js, worst of which could allow remote attackers to write arbitrary files. |
Affected by 31 other vulnerabilities. |
|
VCID-9v22-ened-4bg2
Aliases: CVE-2018-12123 |
Multiple vulnerabilities have been found in Node.js, worst of which could allow remote attackers to write arbitrary files. |
Affected by 31 other vulnerabilities. |
|
VCID-9yq7-aba3-c7c3
Aliases: CVE-2023-32559 |
Multiple vulnerabilities have been discovered in Node.js. |
Affected by 14 other vulnerabilities. |
|
VCID-atyy-fepb-6yge
Aliases: CVE-2016-5325 |
Multiple vulnerabilities have been found in Node.js, the worst of which can allow remote attackers to cause Denial of Service conditions. |
Affected by 55 other vulnerabilities. |
|
VCID-b54b-pd2b-bygm
Aliases: CVE-2022-32213 GHSA-5689-v88g-g6rv |
llhttp allows HTTP Request Smuggling via Flawed Parsing of Transfer-Encoding The llhttp parser in the http module in Node.js v17.x does not correctly parse and validate Transfer-Encoding headers and can lead to HTTP Request Smuggling (HRS). Impacts: - All versions of the nodejs 18.x, 16.x, and 14.x releases lines. - llhttp v6.0.7 and llhttp v2.1.5 contains the fixes that were updated inside Node.js |
Affected by 25 other vulnerabilities. |
|
VCID-bx67-aud6-b3fa
Aliases: CVE-2024-22025 |
Multiple vulnerabilities have been discovered in Node.js, the worst of which could lead to execution of arbitrary code. |
Affected by 14 other vulnerabilities. |
|
VCID-c8xz-v6h3-6ueb
Aliases: CVE-2025-47153 |
nodejs: libuv: Out-of-Bounds Access Due to Inconsistent off_t Size in libuv and Node.js Build on i386 |
Affected by 14 other vulnerabilities. |
|
VCID-d8nf-t1fb-2uad
Aliases: CVE-2016-2086 |
Multiple vulnerabilities have been found in Node.js, the worst of which can allow remote attackers to cause Denial of Service conditions. |
Affected by 55 other vulnerabilities. |
|
VCID-dfdy-vhdd-5kh4
Aliases: CVE-2022-35256 |
Multiple vulnerabilities have been discovered in Node.js. |
Affected by 25 other vulnerabilities. |
|
VCID-dmv4-ydq9-a7eq
Aliases: CVE-2019-9511 |
Excessive CPU usage in HTTP/2 with small window updates |
Affected by 31 other vulnerabilities. |
|
VCID-e18p-c3m9-2qgy
Aliases: CVE-2021-44532 |
Multiple vulnerabilities have been discovered in Node.js. |
Affected by 25 other vulnerabilities. |
|
VCID-e6gj-fe31-kkh5
Aliases: CVE-2023-46809 |
Multiple vulnerabilities have been discovered in Node.js, the worst of which could lead to execution of arbitrary code. |
Affected by 14 other vulnerabilities. |
|
VCID-e7u5-356v-jbg7
Aliases: CVE-2023-30590 |
Multiple vulnerabilities have been discovered in Node.js. |
Affected by 14 other vulnerabilities. |
|
VCID-f7ch-ze7a-d7gr
Aliases: CVE-2018-12116 |
Multiple vulnerabilities have been found in Node.js, worst of which could allow remote attackers to write arbitrary files. |
Affected by 31 other vulnerabilities. |
|
VCID-gwyr-ac4e-dqfa
Aliases: CVE-2021-22959 |
Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling') The llhttp parser accepts requests with a space (SP) right after the header name before the colon. This can lead to HTTP Request Smuggling (HRS). |
Affected by 25 other vulnerabilities. |
|
VCID-h8gu-1htb-u3fg
Aliases: CVE-2018-12120 |
nodejs: Debugger port 5858 listens on any interface by default |
Affected by 31 other vulnerabilities. |
|
VCID-hnjv-fp2r-vqfq
Aliases: CVE-2023-23920 |
Node.js: insecure loading of ICU data through ICU_DATA environment variable |
Affected by 25 other vulnerabilities. |
|
VCID-hu7c-gc8f-q3cm
Aliases: CVE-2017-11499 |
nodejs: Constant Hashtable Seeds vulnerability |
Affected by 31 other vulnerabilities. |
|
VCID-ke6j-fgys-gyga
Aliases: CVE-2019-15605 |
Multiple vulnerabilities have been found in Node.js, worst of which could allow remote attackers to write arbitrary files. |
Affected by 31 other vulnerabilities. |
|
VCID-m5ae-uc68-d3g2
Aliases: CVE-2022-21824 |
Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution') This advisory has been marked as a false positive. |
Affected by 25 other vulnerabilities. |
|
VCID-m7rw-arzq-jba1
Aliases: CVE-2022-43548 |
Multiple vulnerabilities have been discovered in Node.js. |
Affected by 25 other vulnerabilities. |
|
VCID-ms5y-gp7v-2qay
Aliases: CVE-2021-44533 |
Multiple vulnerabilities have been discovered in Node.js. |
Affected by 25 other vulnerabilities. |
|
VCID-n66u-b73u-zucb
Aliases: CVE-2019-9514 GHSA-39qc-96h7-956f |
golang.org/x/net/http vulnerable to a reset flood Some HTTP/2 implementations are vulnerable to a reset flood, potentially leading to a denial of service. Servers that accept direct connections from untrusted clients could be remotely made to allocate an unlimited amount of memory, until the program crashes. The attacker opens a number of streams and sends an invalid request over each stream that should solicit a stream of RST_STREAM frames from the peer. Depending on how the peer queues the RST_STREAM frames, this can consume excess memory, CPU, or both. ### Specific Go Packages Affected golang.org/x/net/http2 |
Affected by 31 other vulnerabilities. |
|
VCID-n91z-kugd-ebb5
Aliases: CVE-2020-8201 |
Multiple vulnerabilities have been found in NodeJS, the worst of which could result in the arbitrary execution of code. |
Affected by 25 other vulnerabilities. |
|
VCID-nenk-4cgd-fugv
Aliases: CVE-2024-27983 |
Multiple vulnerabilities have been discovered in Node.js, the worst of which could lead to execution of arbitrary code. |
Affected by 14 other vulnerabilities. |
|
VCID-nkas-113k-wkbu
Aliases: CVE-2018-7159 |
nodejs: HTTP parser allowed for spaces inside Content-Length header values |
Affected by 31 other vulnerabilities. |
|
VCID-p8ab-a4gk-eyd2
Aliases: CVE-2016-1669 |
Multiple vulnerabilities have been found in the Chromium web browser, the worst of which allows remote attackers to execute arbitrary code. |
Affected by 55 other vulnerabilities. |
|
VCID-pqnn-ers1-3fec
Aliases: CVE-2021-22884 |
Multiple vulnerabilities have been discovered in Node.js. |
Affected by 31 other vulnerabilities. Affected by 25 other vulnerabilities. |
|
VCID-q8th-849w-bfhp
Aliases: CVE-2021-22883 |
Multiple vulnerabilities have been discovered in Node.js. |
Affected by 31 other vulnerabilities. Affected by 25 other vulnerabilities. |
|
VCID-r8jj-tkxd-5qg8
Aliases: CVE-2018-7162 |
Multiple vulnerabilities have been found in Node.js, worst of which could allow remote attackers to write arbitrary files. |
Affected by 31 other vulnerabilities. |
|
VCID-rhxy-h93e-y3d4
Aliases: CVE-2018-7167 |
Multiple vulnerabilities have been found in Node.js, worst of which could allow remote attackers to write arbitrary files. |
Affected by 31 other vulnerabilities. |
|
VCID-srpj-seee-xyhm
Aliases: CVE-2015-6764 |
Multiple vulnerabilities have been found in the Chromium web browser, the worst of which allows remote attackers to execute arbitrary code. |
Affected by 55 other vulnerabilities. |
|
VCID-tnhd-rr89-9udh
Aliases: CVE-2021-22960 |
Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling') The parse function in llhttp ignores chunk extensions when parsing the body of chunked requests. This leads to HTTP Request Smuggling (HRS) under certain conditions. |
Affected by 25 other vulnerabilities. |
|
VCID-tqg7-dw5d-z3et
Aliases: CVE-2018-12115 |
Multiple vulnerabilities have been found in Node.js, worst of which could allow remote attackers to write arbitrary files. |
Affected by 31 other vulnerabilities. |
|
VCID-u8pe-48f4-abc9
Aliases: CVE-2018-7160 GHSA-wq4c-wm6x-jw44 |
Authentication Bypass by Spoofing The Node.js inspector, in 6.x and later is vulnerable to a DNS rebinding attack which could be exploited to perform remote code execution. An attack is possible from malicious websites open in a web browser on the same computer, or another computer with network access to the computer running the Node.js process. A malicious website could use a DNS rebinding attack to trick the web browser to bypass same-origin-policy checks and to allow HTTP connections to localhost or to hosts on the local network. If a Node.js process with the debug port active is running on localhost or on a host on the local network, the malicious website could connect to it as a debugger, and get full code execution access. |
Affected by 31 other vulnerabilities. |
|
VCID-us11-vy4j-pfd2
Aliases: CVE-2019-5737 |
Multiple vulnerabilities have been found in Node.js, worst of which could allow remote attackers to write arbitrary files. |
Affected by 31 other vulnerabilities. |
|
VCID-usab-z8q8-7qd8
Aliases: CVE-2018-7158 |
nodejs: path module regular expression denial of service |
Affected by 31 other vulnerabilities. |
|
VCID-vkvx-gxbu-3uau
Aliases: CVE-2024-22019 |
Multiple vulnerabilities have been discovered in Node.js, the worst of which could lead to execution of arbitrary code. |
Affected by 14 other vulnerabilities. |
|
VCID-wf5t-3pwz-c7d7
Aliases: CVE-2025-23085 |
Multiple vulnerabilities have been discovered in Node.js, the worst of which can lead to arbitrary code execution. |
Affected by 14 other vulnerabilities. Affected by 0 other vulnerabilities. |
|
VCID-wpfq-sq11-fqa9
Aliases: CVE-2019-15606 |
Multiple vulnerabilities have been found in Node.js, worst of which could allow remote attackers to write arbitrary files. |
Affected by 31 other vulnerabilities. |
|
VCID-wzcw-dd7m-zkaz
Aliases: CVE-2022-32215 |
Multiple vulnerabilities have been discovered in Node.js. |
Affected by 25 other vulnerabilities. |
|
VCID-xeay-8ec9-4bdd
Aliases: CVE-2020-8174 |
Multiple vulnerabilities have been found in NodeJS, the worst of which could result in the arbitrary execution of code. |
Affected by 31 other vulnerabilities. |
|
VCID-xnzh-wpd4-63f9
Aliases: CVE-2022-35255 |
Multiple vulnerabilities have been discovered in Node.js. |
Affected by 25 other vulnerabilities. |
|
VCID-xq3f-g8n8-tffp
Aliases: CVE-2014-9748 |
The uv_rwlock_t fallback implementation for Windows XP and Server 2003 in libuv before 1.7.4 does not properly prevent threads from releasing the locks of other threads, which allows attackers to cause a denial of service (deadlock) or possibly have unspecified other impact by leveraging a race condition. |
Affected by 55 other vulnerabilities. |
|
VCID-z3gm-8afk-q7dv
Aliases: CVE-2014-5256 |
V8: Memory Corruption and Stack Overflow |
Affected by 55 other vulnerabilities. |
|
VCID-zj4d-e8r7-ufg3
Aliases: CVE-2020-8287 |
Multiple vulnerabilities have been found in NodeJS, the worst of which could result in the arbitrary execution of code. |
Affected by 31 other vulnerabilities. Affected by 25 other vulnerabilities. |
|
VCID-zrbm-htvv-eke9
Aliases: CVE-2018-12121 |
Multiple vulnerabilities have been found in Node.js, worst of which could allow remote attackers to write arbitrary files. |
Affected by 31 other vulnerabilities. |
|
VCID-zstw-3wmu-u3c8
Aliases: CVE-2023-30589 GHSA-cggh-pq45-6h9x |
llhttp vulnerable to HTTP request smuggling The llhttp parser in the http module in Node v20.2.0 does not strictly use the CRLF sequence to delimit HTTP requests. This can lead to HTTP Request Smuggling (HRS). The CR character (without LF) is sufficient to delimit HTTP header fields in the llhttp parser. According to RFC7230 section 3, only the CRLF sequence should delimit each header-field. This impacts all Node.js active versions: v16, v18, and, v20 |
Affected by 14 other vulnerabilities. |
|
VCID-ztt4-vnk7-7ycq
Aliases: CVE-2020-8265 |
Multiple vulnerabilities have been found in NodeJS, the worst of which could result in the arbitrary execution of code. |
Affected by 31 other vulnerabilities. Affected by 25 other vulnerabilities. |
| Vulnerability | Summary | Aliases |
|---|---|---|
| This package is not known to fix vulnerabilities. | ||