Search for packages
| purl | pkg:deb/debian/nodejs@12.22.12~dfsg-1~deb11u4 |
| Next non-vulnerable version | 20.19.2+dfsg-1 |
| Latest non-vulnerable version | 20.19.2+dfsg-1 |
| Risk | 4.4 |
| Vulnerability | Summary | Fixed by |
|---|---|---|
|
VCID-1vp3-fzdr-yqbm
Aliases: CVE-2026-21715 |
Node.js: Node.js: Information disclosure due to `fs.realpathSync.native()` bypassing filesystem read restrictions |
Affected by 0 other vulnerabilities. |
|
VCID-2t7c-dju9-pff6
Aliases: CVE-2026-21713 |
Node.js: Node.js: Information disclosure via timing oracle in HMAC verification |
Affected by 0 other vulnerabilities. |
|
VCID-2z1f-7jkw-17av
Aliases: CVE-2024-27982 |
Multiple vulnerabilities have been discovered in Node.js, the worst of which could lead to execution of arbitrary code. |
Affected by 14 other vulnerabilities. |
|
VCID-38k9-23j3-eqh7
Aliases: CVE-2023-30581 |
Multiple vulnerabilities have been discovered in Node.js. |
Affected by 14 other vulnerabilities. |
|
VCID-43sf-4r41-wugc
Aliases: CVE-2025-55132 |
nodejs: Nodejs filesystem permissions bypass |
Affected by 0 other vulnerabilities. |
|
VCID-96yh-1wub-zucg
Aliases: CVE-2026-21714 |
Node.js: Node.js: Memory leak and Denial of Service via crafted HTTP/2 WINDOW_UPDATE frames |
Affected by 0 other vulnerabilities. |
|
VCID-98fy-tedc-ube7
Aliases: CVE-2025-55131 |
nodejs: Nodejs uninitialized memory exposure |
Affected by 0 other vulnerabilities. |
|
VCID-9yq7-aba3-c7c3
Aliases: CVE-2023-32559 |
Multiple vulnerabilities have been discovered in Node.js. |
Affected by 14 other vulnerabilities. |
|
VCID-bjza-25hu-vkad
Aliases: CVE-2026-21637 |
nodejs: Nodejs denial of service |
Affected by 0 other vulnerabilities. |
|
VCID-bx67-aud6-b3fa
Aliases: CVE-2024-22025 |
Multiple vulnerabilities have been discovered in Node.js, the worst of which could lead to execution of arbitrary code. |
Affected by 14 other vulnerabilities. |
|
VCID-c8xz-v6h3-6ueb
Aliases: CVE-2025-47153 |
nodejs: libuv: Out-of-Bounds Access Due to Inconsistent off_t Size in libuv and Node.js Build on i386 |
Affected by 14 other vulnerabilities. |
|
VCID-dgkh-jdah-wfh9
Aliases: CVE-2026-21717 |
nodejs: v8: Node.js: Denial of Service via V8 string hashing mechanism due to predictable hash collisions |
Affected by 0 other vulnerabilities. |
|
VCID-dt7u-3usg-9uet
Aliases: CVE-2026-21710 |
Node.js: Node.js: Denial of Service due to crafted HTTP `__proto__` header |
Affected by 0 other vulnerabilities. |
|
VCID-e6gj-fe31-kkh5
Aliases: CVE-2023-46809 |
Multiple vulnerabilities have been discovered in Node.js, the worst of which could lead to execution of arbitrary code. |
Affected by 14 other vulnerabilities. |
|
VCID-e7u5-356v-jbg7
Aliases: CVE-2023-30590 |
Multiple vulnerabilities have been discovered in Node.js. |
Affected by 14 other vulnerabilities. |
|
VCID-kj75-vmwa-gqgq
Aliases: CVE-2023-32006 |
Multiple vulnerabilities have been discovered in Node.js. |
Affected by 14 other vulnerabilities. |
|
VCID-nenk-4cgd-fugv
Aliases: CVE-2024-27983 |
Multiple vulnerabilities have been discovered in Node.js, the worst of which could lead to execution of arbitrary code. |
Affected by 14 other vulnerabilities. |
|
VCID-sag8-repb-g3f4
Aliases: CVE-2023-32002 |
Multiple vulnerabilities have been discovered in Node.js. |
Affected by 14 other vulnerabilities. |
|
VCID-twc8-ewm7-wkb1
Aliases: CVE-2026-21716 |
nodejs: Node.js: Permission bypass allows unauthorized modification of file permissions and ownership via incomplete security fix. |
Affected by 0 other vulnerabilities. |
|
VCID-u8bq-8jp4-jkem
Aliases: CVE-2025-59466 |
nodejs: Nodejs denial of service |
Affected by 0 other vulnerabilities. |
|
VCID-v7uy-445x-tuan
Aliases: CVE-2025-59465 |
nodejs: Nodejs denial of service |
Affected by 0 other vulnerabilities. |
|
VCID-vkvx-gxbu-3uau
Aliases: CVE-2024-22019 |
Multiple vulnerabilities have been discovered in Node.js, the worst of which could lead to execution of arbitrary code. |
Affected by 14 other vulnerabilities. |
|
VCID-wf5t-3pwz-c7d7
Aliases: CVE-2025-23085 |
Multiple vulnerabilities have been discovered in Node.js, the worst of which can lead to arbitrary code execution. |
Affected by 14 other vulnerabilities. Affected by 0 other vulnerabilities. |
|
VCID-x1an-pjq4-nbby
Aliases: CVE-2025-55130 |
nodejs: Nodejs file permissions bypass |
Affected by 0 other vulnerabilities. |
|
VCID-zstw-3wmu-u3c8
Aliases: CVE-2023-30589 GHSA-cggh-pq45-6h9x |
llhttp vulnerable to HTTP request smuggling The llhttp parser in the http module in Node v20.2.0 does not strictly use the CRLF sequence to delimit HTTP requests. This can lead to HTTP Request Smuggling (HRS). The CR character (without LF) is sufficient to delimit HTTP header fields in the llhttp parser. According to RFC7230 section 3, only the CRLF sequence should delimit each header-field. This impacts all Node.js active versions: v16, v18, and, v20 |
Affected by 14 other vulnerabilities. |
| Vulnerability | Summary | Aliases |
|---|---|---|
| VCID-53xm-8w84-93cx | Multiple vulnerabilities have been found in c-ares, the worst of which could result in the loss of confidentiality or integrity. |
CVE-2021-22930
|
| VCID-5cf7-va9h-h3gy | Improper Certificate Validation Accepting arbitrary Subject Alternative Name (SAN) types, unless a PKI is specifically defined to use a particular SAN type, can result in bypassing name-constrained intermediates. Node.js < 12.22.9, < 14.18.3, < 16.13.2, and < 17.3.1 was accepting URI SAN types, which PKIs are often not defined to use. Additionally, when a protocol allows URI SANs, Node.js does not match the URI correctly.Versions of Node.js with the fix for this disable the URI SAN type when checking a certificate against a hostname. This behavior can be reverted through the --security-revert command-line option. |
CVE-2021-44531
|
| VCID-7tpb-9zrz-e7e1 | Multiple vulnerabilities have been discovered in Node.js. |
CVE-2022-32212
|
| VCID-8c4g-fjsa-nkhw | llhttp allows HTTP Request Smuggling via Improper Delimiting of Header Fields The llhttp parser in the http module in Node.js does not strictly use the CRLF sequence to delimit HTTP requests. The LF character (without CR) is sufficient to delimit HTTP header fields in the lihttp parser. According to RFC7230 section 3, only the CRLF sequence should delimit each header-field. This can lead to HTTP Request Smuggling (HRS). |
CVE-2022-32214
GHSA-q5vx-44v4-gch4 |
| VCID-9g7s-y7nq-xfbb | Multiple vulnerabilities have been found in c-ares, the worst of which could result in the loss of confidentiality or integrity. |
CVE-2021-22939
|
| VCID-b54b-pd2b-bygm | llhttp allows HTTP Request Smuggling via Flawed Parsing of Transfer-Encoding The llhttp parser in the http module in Node.js v17.x does not correctly parse and validate Transfer-Encoding headers and can lead to HTTP Request Smuggling (HRS). Impacts: - All versions of the nodejs 18.x, 16.x, and 14.x releases lines. - llhttp v6.0.7 and llhttp v2.1.5 contains the fixes that were updated inside Node.js |
CVE-2022-32213
GHSA-5689-v88g-g6rv |
| VCID-dfdy-vhdd-5kh4 | Multiple vulnerabilities have been discovered in Node.js. |
CVE-2022-35256
|
| VCID-e18p-c3m9-2qgy | Multiple vulnerabilities have been discovered in Node.js. |
CVE-2021-44532
|
| VCID-gwyr-ac4e-dqfa | Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling') The llhttp parser accepts requests with a space (SP) right after the header name before the colon. This can lead to HTTP Request Smuggling (HRS). |
CVE-2021-22959
|
| VCID-hnjv-fp2r-vqfq | Node.js: insecure loading of ICU data through ICU_DATA environment variable |
CVE-2023-23920
|
| VCID-m5ae-uc68-d3g2 | Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution') This advisory has been marked as a false positive. |
CVE-2022-21824
|
| VCID-m7rw-arzq-jba1 | Multiple vulnerabilities have been discovered in Node.js. |
CVE-2022-43548
|
| VCID-ms5y-gp7v-2qay | Multiple vulnerabilities have been discovered in Node.js. |
CVE-2021-44533
|
| VCID-n91z-kugd-ebb5 | Multiple vulnerabilities have been found in NodeJS, the worst of which could result in the arbitrary execution of code. |
CVE-2020-8201
|
| VCID-pqnn-ers1-3fec | Multiple vulnerabilities have been discovered in Node.js. |
CVE-2021-22884
|
| VCID-q8th-849w-bfhp | Multiple vulnerabilities have been discovered in Node.js. |
CVE-2021-22883
|
| VCID-tnhd-rr89-9udh | Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling') The parse function in llhttp ignores chunk extensions when parsing the body of chunked requests. This leads to HTTP Request Smuggling (HRS) under certain conditions. |
CVE-2021-22960
|
| VCID-wzcw-dd7m-zkaz | Multiple vulnerabilities have been discovered in Node.js. |
CVE-2022-32215
|
| VCID-xnzh-wpd4-63f9 | Multiple vulnerabilities have been discovered in Node.js. |
CVE-2022-35255
|
| VCID-zj4d-e8r7-ufg3 | Multiple vulnerabilities have been found in NodeJS, the worst of which could result in the arbitrary execution of code. |
CVE-2020-8287
|
| VCID-ztt4-vnk7-7ycq | Multiple vulnerabilities have been found in NodeJS, the worst of which could result in the arbitrary execution of code. |
CVE-2020-8265
|