Search for packages
| purl | pkg:ebuild/net-libs/nodejs@16.20.2 |
| Vulnerability | Summary | Fixed by |
|---|---|---|
| This package is not known to be affected by vulnerabilities. | ||
| Vulnerability | Summary | Aliases |
|---|---|---|
| VCID-1tz4-bphw-rbd3 | Path Traversal This npm package has an arbitrary file creation/overwrite and arbitrary code execution vulnerability. node-tar aims to guarantee that any file whose location would be modified by a symbolic link is not extracted. |
CVE-2021-37701
GHSA-9r2w-394v-53qc |
| VCID-1xdz-dku3-qqc4 | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') A flaw was found in c-ares library, where a missing input validation check of host names returned by DNS (Domain Name Servers) can lead to output of wrong hostnames which might potentially lead to Domain Hijacking. The highest threat from this vulnerability is to confidentiality and integrity as well as system availability. |
CVE-2021-3672
|
| VCID-38k9-23j3-eqh7 | Multiple vulnerabilities have been discovered in Node.js. |
CVE-2023-30581
|
| VCID-4ak9-89fm-ybh2 | Multiple vulnerabilities have been discovered in Node.js. |
CVE-2023-30582
|
| VCID-53xm-8w84-93cx | Multiple vulnerabilities have been found in c-ares, the worst of which could result in the loss of confidentiality or integrity. |
CVE-2021-22930
|
| VCID-5cf7-va9h-h3gy | Improper Certificate Validation Accepting arbitrary Subject Alternative Name (SAN) types, unless a PKI is specifically defined to use a particular SAN type, can result in bypassing name-constrained intermediates. Node.js < 12.22.9, < 14.18.3, < 16.13.2, and < 17.3.1 was accepting URI SAN types, which PKIs are often not defined to use. Additionally, when a protocol allows URI SANs, Node.js does not match the URI correctly.Versions of Node.js with the fix for this disable the URI SAN type when checking a certificate against a hostname. This behavior can be reverted through the --security-revert command-line option. |
CVE-2021-44531
|
| VCID-71yj-bmak-pkdu | Multiple vulnerabilities have been discovered in OpenSSL, the worst of which could result in remote code execution. |
CVE-2022-3602
GHSA-8rwr-x37p-mx23 |
| VCID-7cth-47w2-17hy | Multiple vulnerabilities have been found in c-ares, the worst of which could result in the loss of confidentiality or integrity. |
CVE-2021-22940
|
| VCID-7mtb-yaq7-77ep | Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') The npm package "tar" (aka node-tar) has an arbitrary file creation/overwrite and arbitrary code execution vulnerability. node-tar aims to guarantee that any file whose location would be modified by a symbolic link is not extracted. This is, in part, achieved by ensuring that extracted directories are not symlinks. Additionally, in order to prevent unnecessary stat calls to determine whether a given path is a directory, paths are cached when directories are created. |
CVE-2021-37712
GHSA-qq89-hq3f-393p |
| VCID-7tpb-9zrz-e7e1 | Multiple vulnerabilities have been discovered in Node.js. |
CVE-2022-32212
|
| VCID-7z51-jgw6-v7hr | Multiple vulnerabilities have been discovered in Node.js. |
CVE-2023-32005
|
| VCID-8c4g-fjsa-nkhw | llhttp allows HTTP Request Smuggling via Improper Delimiting of Header Fields The llhttp parser in the http module in Node.js does not strictly use the CRLF sequence to delimit HTTP requests. The LF character (without CR) is sufficient to delimit HTTP header fields in the lihttp parser. According to RFC7230 section 3, only the CRLF sequence should delimit each header-field. This can lead to HTTP Request Smuggling (HRS). |
CVE-2022-32214
GHSA-q5vx-44v4-gch4 |
| VCID-9g7s-y7nq-xfbb | Multiple vulnerabilities have been found in c-ares, the worst of which could result in the loss of confidentiality or integrity. |
CVE-2021-22939
|
| VCID-9vk1-2ysq-3ygd | UNIX Symbolic Link (Symlink) Following `@npmcli/arborist`, the library that calculates dependency trees and manages the node_modules folder hierarchy for the npm command line interface, aims to guarantee that package dependency contracts will be met, and the extraction of package contents will always be performed into the expected folder. This is accomplished by extracting package contents into a project's `node_modules` folder. If the `node_modules` folder of the root project or any of its dependencies is somehow replaced with a symbolic link, it could allow Arborist to write package dependencies to any arbitrary location on the file system. Note that symbolic links contained within package artifact contents are filtered out, so another means of creating a `node_modules` symbolic link would have to be employed. A `preinstall` script could replace `node_modules` with a symlink. (This is prevented by using `--ignore-scripts`.) An attacker could supply the target with a git repository, instructing them to run `npm install --ignore-scripts` in the root. This may be successful, because `npm install --ignore-scripts` is typically not capable of making changes outside of the project directory, so it may be deemed safe. This is patched in @npmcli/arborist which is included in npm v7.20.7. For more information including workarounds please see the referenced GHSA-gmw6-94gg-2rc2. |
CVE-2021-39135
GHSA-gmw6-94gg-2rc2 |
| VCID-9yq7-aba3-c7c3 | Multiple vulnerabilities have been discovered in Node.js. |
CVE-2023-32559
|
| VCID-ap4u-dkwx-1kb3 | Multiple vulnerabilities have been found in c-ares, the worst of which could result in the loss of confidentiality or integrity. |
CVE-2021-22931
|
| VCID-b54b-pd2b-bygm | llhttp allows HTTP Request Smuggling via Flawed Parsing of Transfer-Encoding The llhttp parser in the http module in Node.js v17.x does not correctly parse and validate Transfer-Encoding headers and can lead to HTTP Request Smuggling (HRS). Impacts: - All versions of the nodejs 18.x, 16.x, and 14.x releases lines. - llhttp v6.0.7 and llhttp v2.1.5 contains the fixes that were updated inside Node.js |
CVE-2022-32213
GHSA-5689-v88g-g6rv |
| VCID-dfdy-vhdd-5kh4 | Multiple vulnerabilities have been discovered in Node.js. |
CVE-2022-35256
|
| VCID-e18p-c3m9-2qgy | Multiple vulnerabilities have been discovered in Node.js. |
CVE-2021-44532
|
| VCID-e7u5-356v-jbg7 | Multiple vulnerabilities have been discovered in Node.js. |
CVE-2023-30590
|
| VCID-ec66-gwvw-kucs | Multiple vulnerabilities have been discovered in Node.js. |
CVE-2023-30587
|
| VCID-fu8u-pxaa-43be | Prototype Pollution in y18n ### Overview The npm package `y18n` before versions 3.2.2, 4.0.1, and 5.0.5 is vulnerable to Prototype Pollution. ### POC ```js const y18n = require('y18n')(); y18n.setLocale('__proto__'); y18n.updateLocale({polluted: true}); console.log(polluted); // true ``` ### Recommendation Upgrade to version 3.2.2, 4.0.1, 5.0.5 or later. |
CVE-2020-7774
GHSA-c4w7-xm78-47vh |
| VCID-g4wu-n75v-p7ad | `undici.request` vulnerable to SSRF using absolute URL on `pathname` ### Impact `undici` is vulnerable to SSRF (Server-side Request Forgery) when an application takes in **user input** into the `path/pathname` option of `undici.request`. If a user specifies a URL such as `http://127.0.0.1` or `//127.0.0.1` ```js const undici = require("undici") undici.request({origin: "http://example.com", pathname: "//127.0.0.1"}) ``` Instead of processing the request as `http://example.org//127.0.0.1` (or `http://example.org/http://127.0.0.1` when `http://127.0.0.1 is used`), it actually processes the request as `http://127.0.0.1/` and sends it to `http://127.0.0.1`. If a developer passes in user input into `path` parameter of `undici.request`, it can result in an _SSRF_ as they will assume that the hostname cannot change, when in actual fact it can change because the specified path parameter is combined with the base URL. ### Patches This issue was fixed in `undici@5.8.1`. ### Workarounds The best workaround is to validate user input before passing it to the `undici.request` call. ## For more information If you have any questions or comments about this advisory: - Open an issue in [undici repository](https://github.com/nodejs/undici/issues) - To make a report, follow the [SECURITY](https://github.com/nodejs/node/blob/HEAD/SECURITY.md) document |
CVE-2022-35949
GHSA-8qr4-xgw6-wmr3 |
| VCID-g5wj-ffk1-7bg7 | Multiple vulnerabilities have been discovered in Node.js. |
CVE-2023-30586
|
| VCID-gsbn-6t86-7kf9 | Loop with Unreachable Exit Condition ('Infinite Loop') The BN_mod_sqrt() function, which computes a modular square root, contains a bug that can cause it to loop forever for non-prime moduli. Internally this function is used when parsing certificates that contain elliptic curve public keys in compressed form or explicit elliptic curve parameters with a base point encoded in compressed form. It is possible to trigger the infinite loop by crafting a certificate that has invalid explicit curve parameters |
CVE-2022-0778
GHSA-x3mh-jvjw-3xwx |
| VCID-gwyr-ac4e-dqfa | Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling') The llhttp parser accepts requests with a space (SP) right after the header name before the colon. This can lead to HTTP Request Smuggling (HRS). |
CVE-2021-22959
|
| VCID-kj75-vmwa-gqgq | Multiple vulnerabilities have been discovered in Node.js. |
CVE-2023-32006
|
| VCID-m5ae-uc68-d3g2 | Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution') This advisory has been marked as a false positive. |
CVE-2022-21824
|
| VCID-m7rw-arzq-jba1 | Multiple vulnerabilities have been discovered in Node.js. |
CVE-2022-43548
|
| VCID-ms5y-gp7v-2qay | Multiple vulnerabilities have been discovered in Node.js. |
CVE-2021-44533
|
| VCID-myru-vzn7-u7cf | UNIX Symbolic Link (Symlink) Following `@npmcli/arborist`, the library that calculates dependency trees and manages the `node_modules` folder hierarchy for the npm command line interface, aims to guarantee that package dependency contracts will be met, and the extraction of package contents will always be performed into the expected folder. |
CVE-2021-39134
GHSA-2h3h-q99f-3fhc |
| VCID-nj6f-gujk-wqah | A buffer overread vulnerability has been found in libuv. |
CVE-2021-22918
|
| VCID-p31t-nxwe-yyf2 | Multiple vulnerabilities have been discovered in Node.js. |
CVE-2023-32558
|
| VCID-pqnn-ers1-3fec | Multiple vulnerabilities have been discovered in Node.js. |
CVE-2021-22884
|
| VCID-q75s-43sx-4kbg | Multiple vulnerabilities have been discovered in Node.js. |
CVE-2023-30588
|
| VCID-q8th-849w-bfhp | Multiple vulnerabilities have been discovered in Node.js. |
CVE-2021-22883
|
| VCID-rg1f-5nhq-m7ea | Multiple vulnerabilities have been discovered in Node.js. |
CVE-2023-32004
|
| VCID-rskk-s95c-rfgz | Nodejs ‘undici’ vulnerable to CRLF Injection via Content-Type ### Impact `=< undici@5.8.0` users are vulnerable to _CRLF Injection_ on headers when using unsanitized input as request headers, more specifically, inside the `content-type` header. Example: ``` import { request } from 'undici' const unsanitizedContentTypeInput = 'application/json\r\n\r\nGET /foo2 HTTP/1.1' await request('http://localhost:3000, { method: 'GET', headers: { 'content-type': unsanitizedContentTypeInput }, }) ``` The above snippet will perform two requests in a single `request` API call: 1) `http://localhost:3000/` 2) `http://localhost:3000/foo2` ### Patches This issue was patched in Undici v5.8.1 ### Workarounds Sanitize input when sending content-type headers using user input. ## For more information If you have any questions or comments about this advisory: - Open an issue in [undici repository](https://github.com/nodejs/undici/issues) - To make a report, follow the [SECURITY](https://github.com/nodejs/node/blob/HEAD/SECURITY.md) document |
CVE-2022-35948
GHSA-f772-66g8-q5h3 |
| VCID-sag8-repb-g3f4 | Multiple vulnerabilities have been discovered in Node.js. |
CVE-2023-32002
|
| VCID-sthj-jvke-tyg7 | Multiple vulnerabilities have been discovered in Node.js. |
CVE-2023-30584
|
| VCID-tnhd-rr89-9udh | Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling') The parse function in llhttp ignores chunk extensions when parsing the body of chunked requests. This leads to HTTP Request Smuggling (HRS) under certain conditions. |
CVE-2021-22960
|
| VCID-ueyx-hwjr-fuhq | Multiple vulnerabilities have been discovered in Node.js. |
CVE-2023-30583
|
| VCID-uftn-4gjb-dqe6 | Multiple vulnerabilities have been discovered in Node.js. |
CVE-2023-32003
|
| VCID-v3uy-dqn9-qye5 | Multiple vulnerabilities have been discovered in Node.js. |
CVE-2022-32222
|
| VCID-wzcw-dd7m-zkaz | Multiple vulnerabilities have been discovered in Node.js. |
CVE-2022-32215
|
| VCID-xnzh-wpd4-63f9 | Multiple vulnerabilities have been discovered in Node.js. |
CVE-2022-35255
|
| VCID-xq7s-zrwb-yffw | Multiple vulnerabilities have been discovered in OpenSSL, the worst of which could result in remote code execution. |
CVE-2022-3786
GHSA-h8jm-2x53-xhp5 |
| VCID-zstw-3wmu-u3c8 | llhttp vulnerable to HTTP request smuggling The llhttp parser in the http module in Node v20.2.0 does not strictly use the CRLF sequence to delimit HTTP requests. This can lead to HTTP Request Smuggling (HRS). The CR character (without LF) is sufficient to delimit HTTP header fields in the llhttp parser. According to RFC7230 section 3, only the CRLF sequence should delimit each header-field. This impacts all Node.js active versions: v16, v18, and, v20 |
CVE-2023-30589
GHSA-cggh-pq45-6h9x |
| Date | Actor | Action | Vulnerability | Source | VulnerableCode Version |
|---|---|---|---|---|---|
| 2026-04-01T13:14:50.762477+00:00 | Gentoo Importer | Fixing | VCID-9yq7-aba3-c7c3 | https://security.gentoo.org/glsa/202405-29 | 38.0.0 |
| 2026-04-01T13:14:50.728755+00:00 | Gentoo Importer | Fixing | VCID-p31t-nxwe-yyf2 | https://security.gentoo.org/glsa/202405-29 | 38.0.0 |
| 2026-04-01T13:14:50.694862+00:00 | Gentoo Importer | Fixing | VCID-kj75-vmwa-gqgq | https://security.gentoo.org/glsa/202405-29 | 38.0.0 |
| 2026-04-01T13:14:50.658248+00:00 | Gentoo Importer | Fixing | VCID-7z51-jgw6-v7hr | https://security.gentoo.org/glsa/202405-29 | 38.0.0 |
| 2026-04-01T13:14:50.619752+00:00 | Gentoo Importer | Fixing | VCID-rg1f-5nhq-m7ea | https://security.gentoo.org/glsa/202405-29 | 38.0.0 |
| 2026-04-01T13:14:50.581874+00:00 | Gentoo Importer | Fixing | VCID-uftn-4gjb-dqe6 | https://security.gentoo.org/glsa/202405-29 | 38.0.0 |
| 2026-04-01T13:14:50.545580+00:00 | Gentoo Importer | Fixing | VCID-sag8-repb-g3f4 | https://security.gentoo.org/glsa/202405-29 | 38.0.0 |
| 2026-04-01T13:14:50.507063+00:00 | Gentoo Importer | Fixing | VCID-e7u5-356v-jbg7 | https://security.gentoo.org/glsa/202405-29 | 38.0.0 |
| 2026-04-01T13:14:50.464104+00:00 | Gentoo Importer | Fixing | VCID-zstw-3wmu-u3c8 | https://security.gentoo.org/glsa/202405-29 | 38.0.0 |
| 2026-04-01T13:14:50.415265+00:00 | Gentoo Importer | Fixing | VCID-q75s-43sx-4kbg | https://security.gentoo.org/glsa/202405-29 | 38.0.0 |
| 2026-04-01T13:14:50.373713+00:00 | Gentoo Importer | Fixing | VCID-ec66-gwvw-kucs | https://security.gentoo.org/glsa/202405-29 | 38.0.0 |
| 2026-04-01T13:14:50.334943+00:00 | Gentoo Importer | Fixing | VCID-g5wj-ffk1-7bg7 | https://security.gentoo.org/glsa/202405-29 | 38.0.0 |
| 2026-04-01T13:14:50.296681+00:00 | Gentoo Importer | Fixing | VCID-sthj-jvke-tyg7 | https://security.gentoo.org/glsa/202405-29 | 38.0.0 |
| 2026-04-01T13:14:50.253998+00:00 | Gentoo Importer | Fixing | VCID-ueyx-hwjr-fuhq | https://security.gentoo.org/glsa/202405-29 | 38.0.0 |
| 2026-04-01T13:14:50.211303+00:00 | Gentoo Importer | Fixing | VCID-4ak9-89fm-ybh2 | https://security.gentoo.org/glsa/202405-29 | 38.0.0 |
| 2026-04-01T13:14:50.172783+00:00 | Gentoo Importer | Fixing | VCID-38k9-23j3-eqh7 | https://security.gentoo.org/glsa/202405-29 | 38.0.0 |
| 2026-04-01T13:14:50.126139+00:00 | Gentoo Importer | Fixing | VCID-m7rw-arzq-jba1 | https://security.gentoo.org/glsa/202405-29 | 38.0.0 |
| 2026-04-01T13:14:50.086690+00:00 | Gentoo Importer | Fixing | VCID-g4wu-n75v-p7ad | https://security.gentoo.org/glsa/202405-29 | 38.0.0 |
| 2026-04-01T13:14:50.053330+00:00 | Gentoo Importer | Fixing | VCID-rskk-s95c-rfgz | https://security.gentoo.org/glsa/202405-29 | 38.0.0 |
| 2026-04-01T13:14:50.017625+00:00 | Gentoo Importer | Fixing | VCID-dfdy-vhdd-5kh4 | https://security.gentoo.org/glsa/202405-29 | 38.0.0 |
| 2026-04-01T13:14:49.982675+00:00 | Gentoo Importer | Fixing | VCID-xnzh-wpd4-63f9 | https://security.gentoo.org/glsa/202405-29 | 38.0.0 |
| 2026-04-01T13:14:49.949728+00:00 | Gentoo Importer | Fixing | VCID-v3uy-dqn9-qye5 | https://security.gentoo.org/glsa/202405-29 | 38.0.0 |
| 2026-04-01T13:14:49.914064+00:00 | Gentoo Importer | Fixing | VCID-wzcw-dd7m-zkaz | https://security.gentoo.org/glsa/202405-29 | 38.0.0 |
| 2026-04-01T13:14:49.880222+00:00 | Gentoo Importer | Fixing | VCID-8c4g-fjsa-nkhw | https://security.gentoo.org/glsa/202405-29 | 38.0.0 |
| 2026-04-01T13:14:49.845496+00:00 | Gentoo Importer | Fixing | VCID-b54b-pd2b-bygm | https://security.gentoo.org/glsa/202405-29 | 38.0.0 |
| 2026-04-01T13:14:49.809777+00:00 | Gentoo Importer | Fixing | VCID-7tpb-9zrz-e7e1 | https://security.gentoo.org/glsa/202405-29 | 38.0.0 |
| 2026-04-01T13:14:49.773735+00:00 | Gentoo Importer | Fixing | VCID-m5ae-uc68-d3g2 | https://security.gentoo.org/glsa/202405-29 | 38.0.0 |
| 2026-04-01T13:14:49.741723+00:00 | Gentoo Importer | Fixing | VCID-xq7s-zrwb-yffw | https://security.gentoo.org/glsa/202405-29 | 38.0.0 |
| 2026-04-01T13:14:49.706996+00:00 | Gentoo Importer | Fixing | VCID-71yj-bmak-pkdu | https://security.gentoo.org/glsa/202405-29 | 38.0.0 |
| 2026-04-01T13:14:49.665466+00:00 | Gentoo Importer | Fixing | VCID-gsbn-6t86-7kf9 | https://security.gentoo.org/glsa/202405-29 | 38.0.0 |
| 2026-04-01T13:14:49.631865+00:00 | Gentoo Importer | Fixing | VCID-ms5y-gp7v-2qay | https://security.gentoo.org/glsa/202405-29 | 38.0.0 |
| 2026-04-01T13:14:49.598790+00:00 | Gentoo Importer | Fixing | VCID-e18p-c3m9-2qgy | https://security.gentoo.org/glsa/202405-29 | 38.0.0 |
| 2026-04-01T13:14:49.563231+00:00 | Gentoo Importer | Fixing | VCID-5cf7-va9h-h3gy | https://security.gentoo.org/glsa/202405-29 | 38.0.0 |
| 2026-04-01T13:14:49.529664+00:00 | Gentoo Importer | Fixing | VCID-9vk1-2ysq-3ygd | https://security.gentoo.org/glsa/202405-29 | 38.0.0 |
| 2026-04-01T13:14:49.485764+00:00 | Gentoo Importer | Fixing | VCID-myru-vzn7-u7cf | https://security.gentoo.org/glsa/202405-29 | 38.0.0 |
| 2026-04-01T13:14:49.452536+00:00 | Gentoo Importer | Fixing | VCID-7mtb-yaq7-77ep | https://security.gentoo.org/glsa/202405-29 | 38.0.0 |
| 2026-04-01T13:14:49.419978+00:00 | Gentoo Importer | Fixing | VCID-1tz4-bphw-rbd3 | https://security.gentoo.org/glsa/202405-29 | 38.0.0 |
| 2026-04-01T13:14:49.386068+00:00 | Gentoo Importer | Fixing | VCID-tnhd-rr89-9udh | https://security.gentoo.org/glsa/202405-29 | 38.0.0 |
| 2026-04-01T13:14:49.347798+00:00 | Gentoo Importer | Fixing | VCID-gwyr-ac4e-dqfa | https://security.gentoo.org/glsa/202405-29 | 38.0.0 |
| 2026-04-01T13:14:49.314549+00:00 | Gentoo Importer | Fixing | VCID-7cth-47w2-17hy | https://security.gentoo.org/glsa/202405-29 | 38.0.0 |
| 2026-04-01T13:14:49.283956+00:00 | Gentoo Importer | Fixing | VCID-9g7s-y7nq-xfbb | https://security.gentoo.org/glsa/202405-29 | 38.0.0 |
| 2026-04-01T13:14:49.247691+00:00 | Gentoo Importer | Fixing | VCID-ap4u-dkwx-1kb3 | https://security.gentoo.org/glsa/202405-29 | 38.0.0 |
| 2026-04-01T13:14:49.214100+00:00 | Gentoo Importer | Fixing | VCID-53xm-8w84-93cx | https://security.gentoo.org/glsa/202405-29 | 38.0.0 |
| 2026-04-01T13:14:49.170586+00:00 | Gentoo Importer | Fixing | VCID-nj6f-gujk-wqah | https://security.gentoo.org/glsa/202405-29 | 38.0.0 |
| 2026-04-01T13:14:49.136188+00:00 | Gentoo Importer | Fixing | VCID-pqnn-ers1-3fec | https://security.gentoo.org/glsa/202405-29 | 38.0.0 |
| 2026-04-01T13:14:49.103107+00:00 | Gentoo Importer | Fixing | VCID-q8th-849w-bfhp | https://security.gentoo.org/glsa/202405-29 | 38.0.0 |
| 2026-04-01T13:14:49.067943+00:00 | Gentoo Importer | Fixing | VCID-1xdz-dku3-qqc4 | https://security.gentoo.org/glsa/202405-29 | 38.0.0 |
| 2026-04-01T13:14:49.027027+00:00 | Gentoo Importer | Fixing | VCID-fu8u-pxaa-43be | https://security.gentoo.org/glsa/202405-29 | 38.0.0 |