Vulnerabilities affecting this package (0)
| Vulnerability |
Summary |
Fixed by |
|
This package is not known to be affected by vulnerabilities.
|
Vulnerabilities fixed by this package (6)
| Vulnerability |
Summary |
Aliases |
|
VCID-5cf7-va9h-h3gy
|
Improper Certificate Validation
Accepting arbitrary Subject Alternative Name (SAN) types, unless a PKI is specifically defined to use a particular SAN type, can result in bypassing name-constrained intermediates. Node.js < 12.22.9, < 14.18.3, < 16.13.2, and < 17.3.1 was accepting URI SAN types, which PKIs are often not defined to use. Additionally, when a protocol allows URI SANs, Node.js does not match the URI correctly.Versions of Node.js with the fix for this disable the URI SAN type when checking a certificate against a hostname. This behavior can be reverted through the --security-revert command-line option.
|
CVE-2021-44531
|
|
VCID-e18p-c3m9-2qgy
|
Multiple vulnerabilities have been discovered in Node.js.
|
CVE-2021-44532
|
|
VCID-gwyr-ac4e-dqfa
|
Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling')
The llhttp parser accepts requests with a space (SP) right after the header name before the colon. This can lead to HTTP Request Smuggling (HRS).
|
CVE-2021-22959
|
|
VCID-m5ae-uc68-d3g2
|
Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')
This advisory has been marked as a false positive.
|
CVE-2022-21824
|
|
VCID-ms5y-gp7v-2qay
|
Multiple vulnerabilities have been discovered in Node.js.
|
CVE-2021-44533
|
|
VCID-tnhd-rr89-9udh
|
Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling')
The parse function in llhttp ignores chunk extensions when parsing the body of chunked requests. This leads to HTTP Request Smuggling (HRS) under certain conditions.
|
CVE-2021-22960
|