VulnerableCode Package Details - pkg:rpm/redhat/nodejs@1:16.19.1-1?arch=el9

Search for packages

Vulnerability	Summary	Fixed by
VCID-5vh6-usw6-2qhy Aliases: CVE-2022-4904	Improper Input Validation A flaw was found in the c-ares package. The ares_set_sortlist is missing checks about the validity of the input string, which allows a possible arbitrary length stack overflow. This issue may cause a denial of service or a limited impact on confidentiality and integrity.	There are no reported fixed by versions.
VCID-7nnu-jtjx-u3ff Aliases: CVE-2023-23918	Node.js: Permissions policies can be bypassed via process.mainModule	There are no reported fixed by versions.
VCID-dtvs-pgam-qkbp Aliases: CVE-2023-23936 GHSA-5r9g-qh6m-jxff	CRLF Injection in Nodejs ‘undici’ via host Undici is an HTTP/1.1 client for Node.js. Starting with version 2.0.0 and prior to version 5.19.1, the undici library does not protect `host` HTTP header from CRLF injection vulnerabilities. This issue is patched in Undici v5.19.1. As a workaround, sanitize the `headers.host` string before passing to undici.	There are no reported fixed by versions.
VCID-hnjv-fp2r-vqfq Aliases: CVE-2023-23920	Node.js: insecure loading of ICU data through ICU_DATA environment variable	There are no reported fixed by versions.
VCID-m78y-81wr-y3cz Aliases: CVE-2022-25881 GHSA-rc47-6667-2j5j	http-cache-semantics vulnerable to Regular Expression Denial of Service http-cache semantics contains an Inefficient Regular Expression Complexity , leading to Denial of Service. This affects versions of the package http-cache-semantics before 4.1.1. The issue can be exploited via malicious request header values sent to a server, when that server reads the cache policy from the request using this library.	There are no reported fixed by versions.
VCID-vh17-44d1-kyf7 Aliases: CVE-2023-24807 GHSA-r6ch-mqf9-qc9w	Regular Expression Denial of Service in Headers Undici is an HTTP/1.1 client for Node.js. Prior to version 5.19.1, the `Headers.set()` and `Headers.append()` methods is vulnerable to Regular Expression Denial of Service (ReDoS) attacks when untrusted values are passed into the functions. This is due to the inefficient regular expression used to normalize the values in the `headerValueNormalize()` utility function. This vulnerability was patched in v5.19.1. No known workarounds are available.	There are no reported fixed by versions.
VCID-y9aa-2a31-ufa7 Aliases: CVE-2021-35065 GHSA-cj88-88mr-972w GMS-2022-3113	glob-parent 6.0.0 vulnerable to Regular Expression Denial of Service glob-parent 6.0.0 is vulnerable to Regular Expression Denial of Service (ReDoS). This issue is fixed in version 6.0.1. This vulnerability is separate from [GHSA-ww39-953v-wcq6](https://github.com/advisories/GHSA-ww39-953v-wcq6).	There are no reported fixed by versions.

Vulnerability

Summary

Fixed by

VCID-5vh6-usw6-2qhy
Aliases:
CVE-2022-4904

Improper Input Validation A flaw was found in the c-ares package. The ares_set_sortlist is missing checks about the validity of the input string, which allows a possible arbitrary length stack overflow. This issue may cause a denial of service or a limited impact on confidentiality and integrity.