pkg:Bitnami/node-min
112 total CVEsCRITICAL12HIGH57MEDIUM32LOW6
✅ Check your installed version
All known vulnerabilities
- from 0, < 18.18.2, >= 19.0.0, < 20.8.1
- CRITICAL10.0CVE-2026-21636A flaw in Node.js's permission model allows Unix Domain Socket (UDS) connections to bypass network restrictions when `--permission` is enab…>= 25.0.0, < 25.3.0
- >= 1.77.2, < 18.20.5
- CRITICAL9.8CVE-2024-21896The permission model protects itself against path traversal attacks by calling path.resolve() on any paths given by the user.>= 20.0.0, < 20.18.1, >= 21.0.0, < 22.12.0
- CRITICAL9.8CVE-2023-39332Various `node:fs` functions allow specifying paths as either strings or `Uint8Array` objects.>= 20.0.0, < 20.8.0
- CRITICAL9.8CVE-2023-32002The use of `Module._load()` can bypass the policy mechanism and require modules outside of the policy.json definition for a given module.from 0, < 16.20.2, >= 17.0.0, < 18.17.1, >= 19.0.0, < 20.5.1
- >= 18.0.0, < 18.11.0, >= 18.12.0, < 18.12.1, >= 19.0.0, < 19.0.1
- >= 12.0.0, < 12.22.4, >= 14.0.0, < 14.17.4, >= 16.0.0, < 16.6.0
- CRITICAL9.8CVE-2021-22931Node.js before 16.6.0, 14.17.4, and 12.22.4 is vulnerable to Remote Code Execution, XSS, Application crashes due to missing input validatio…>= 12.0.0, < 12.12.1, >= 12.13.0, < 12.22.5, >= 14.0.0, < 14.14.1, >= 14.15.0, < 14.17.5, >= 16.0.0, < 16.6.2
- CRITICAL9.1CVE-2025-55130A flaw in Node.js’s Permissions model allows attackers to bypass `--allow-fs-read` and `--allow-fs-write` restrictions using crafted relati…>= 20.0.0, < 20.20.0, >= 21.0.0, < 22.22.0, >= 23.0.0, < 24.13.0, >= 25.0.0, < 25.3.0
- CRITICAL9.1CVE-2022-35255A weak randomness in WebCrypto keygen vulnerability exists in Node.js 18 due to a change with EntropySource() in SecretKeyGenTraits::DoKeyG…>= 15.0.0, < 15.14.1, >= 16.0.0, < 16.12.1, >= 16.13.0, < 16.17.1, >= 18.0.0, < 18.9.1
- CRITICAL9.1CVE-2022-32213llhttp allows HTTP Request Smuggling via Flawed Parsing of Transfer-Encoding>= 14.0.0, < 14.14.1, >= 14.15.0, < 14.20.1, >= 16.0.0, < 16.12.1, >= 16.13.0, < 16.17.1, >= 18.0.0, < 18.9.1
- CRITICAL9.1CVE-2022-32214llhttp allows HTTP Request Smuggling via Improper Delimiting of Header Fields>= 14.0.0, < 14.14.1, >= 14.15.0, < 14.20.0, >= 16.0.0, < 16.12.1, >= 16.13.0, < 16.16.0, >= 18.0.0, < 18.5.0
- HIGH8.8CVE-2024-21891Node.js depends on multiple built-in utility functions to normalize paths provided to node:fs functions, which can be overwitten with user-…>= 20.0.0, < 20.11.1, >= 21.0.0, < 21.6.2
- HIGH8.8CVE-2023-32004A vulnerability has been discovered in Node.js version 20, specifically within the experimental permission model.>= 20.0.0, < 20.5.1
- HIGH8.8CVE-2023-32006The use of `module.constructor.createRequire()` can bypass the policy mechanism and require modules outside of the policy.json definition f…from 0, < 16.20.2, >= 17.0.0, < 18.17.1, >= 19.0.0, < 20.5.1
- >= 10.13.0, < 10.21.0
- HIGH8.2CVE-2024-27983An attacker can make the Node.js HTTP/2 server completely unavailable by sending a small amount of HTTP/2 frames packets with a few HTTP/2…from 0, < 18.20.1, >= 19.0.0, < 20.12.1, >= 21.0.0, < 21.7.2
- HIGH8.2CVE-2022-21824Due to the formatting logic of the "console.table()" function it was not safe to allow user controlled input to be passed to the "propertie…>= 12.0.0, < 12.22.9, >= 14.0.0, < 14.18.3, >= 16.0.0, < 16.13.2, >= 17.0.0, < 17.3.1
- HIGH8.1CVE-2024-27980Due to the improper handling of batch files in child_process.spawn / child_process.spawnSync, a malicious command line argument can inject…from 0, < 18.20.2, >= 19.0.0, < 20.12.2, >= 21.0.0, < 21.7.3
- HIGH8.1CVE-2024-36138Bypass incomplete fix of CVE-2024-27980, that arises from improper handling of batch files with all possible extensions on Windows via chil…from 0, < 18.20.5, >= 19.0.0, < 20.18.1, >= 21.0.0, < 22.12.0
- >= 14.0.0, < 14.14.1, >= 14.15.0, < 14.21.1, >= 16.0.0, < 16.12.1, >= 16.13.0, < 16.18.1, >= 18.0.0, < 18.11.1, >= 18.12.0, < 18.12.1, >= 19.0.0, < 19.0.1
- >= 14.0.0, < 14.14.1, >= 14.15.0, < 14.20.1, >= 16.0.0, < 16.12.1, >= 16.13.0, < 16.17.1, >= 18.0.0, < 18.5.0
- >= 10.0.0, < 10.23.1, >= 12.0.0, < 12.20.1, >= 14.0.0, < 14.15.4, >= 15.0.0, < 15.5.1
- HIGH8.1CVE-2020-8174napi_get_value_string_*() allows various kinds of memory corruption in node < 10.21.0, 12.18.0, and < 14.4.0.from 0, < 10.21.0, >= 12.0.0, < 12.18.0, >= 14.0.0, < 14.4.0
- HIGH7.8CVE-2021-22921Node.js before 16.4.1, 14.17.2, and 12.22.2 is vulnerable to local privilege escalation attacks under certain conditions on Windows platfor…>= 12.0.0, < 12.22.2, >= 14.0.0, < 14.17.2, >= 16.0.0, < 16.4.1
- HIGH7.8CVE-2024-21892On Linux, Node.js ignores certain environment variables if those may have been set by an unprivileged user while the process is running wit…from 0, < 18.19.1, >= 19.0.0, < 20.11.1, >= 21.0.0, < 21.6.2
- HIGH7.8CVE-2020-8252The implementation of realpath in libuv < 10.22.1, < 12.18.4, and < 14.9.0 used within Node.js incorrectly determined the buffer size which…>= 10.0.0, < 10.22.1, >= 12.0.0, < 12.18.4, >= 14.0.0, < 14.9.0
- HIGH7.7CVE-2025-23083With the aid of the diagnostics_channel utility, an event can be hooked into whenever a worker thread is created.>= 19.0.0, < 20.18.2, >= 21.0.0, < 22.13.1, >= 23.0.0, < 23.8.0
- HIGH7.7CVE-2023-30584A vulnerability has been discovered in Node.js version 20, specifically within the experimental permission model.>= 20.0.0, < 20.3.1
- HIGH7.5CVE-2026-21710A flaw in Node.js HTTP request handling causes an uncaught `TypeError` when a request is received with a header named `__proto__` and the a…from 0, < 20.20.2, >= 21.0.0, < 22.22.2, >= 23.0.0, < 24.14.1, >= 25.0.0, < 25.8.2
- from 0, < 20.20.0, >= 21.0.0, < 22.22.0, >= 23.0.0, < 24.13.0, >= 25.0.0, < 25.3.0
- HIGH7.5CVE-2025-59466We have identified a bug in Node.js error handling where "Maximum call stack size exceeded" errors become uncatchable when `async_hooks.cre…from 0, < 20.20.0, >= 21.0.0, < 22.22.0, >= 23.0.0, < 24.13.0, >= 25.0.0, < 25.3.0
- HIGH7.5CVE-2025-59465A malformed `HTTP/2 HEADERS` frame with oversized, invalid `HPACK` data can cause Node.js to crash by triggering an unhandled `TLSSocket` e…from 0, < 20.20.0, >= 21.0.0, < 22.22.0, >= 23.0.0, < 24.13.0, >= 25.0.0, < 25.3.0
- HIGH7.5CVE-2025-27210An incomplete fix has been identified for CVE-2025-23084 in Node.js, specifically affecting Windows device names like CON, PRN, and AUX.>= 4.0.0, < 20.19.4, >= 22.0.0, < 22.17.1, >= 24.0.0, < 24.4.1
- HIGH7.5CVE-2025-27209The V8 release used in Node.js v24.0.0 has changed how string hashes are computed using rapidhash.>= 24.0.0, < 24.4.1
- HIGH7.5CVE-2025-23166The C++ method SignTraits::DeriveBits() may incorrectly call ThrowException() based on user-supplied inputs when executing in a background…from 0, < 20.19.2, >= 21.0.0, < 22.15.1, >= 23.0.0, < 24.0.2
- HIGH7.5CVE-2023-30583fs.openAsBlob() can bypass the experimental permission model when using the file system read restriction with the `--allow-fs-read` flag in…>= 20.0.0, < 20.3.1
- HIGH7.5CVE-2023-30587A vulnerability in Node.js version 20 allows for bypassing restrictions set by the --experimental-permission flag using the built-in inspec…>= 20.0.0, < 20.3.1
- HIGH7.5CVE-2020-8251Node.js < 14.11.0 is vulnerable to HTTP denial of service (DoS) attacks based on delayed requests submission which can make the server unab…>= 14.0.0, < 14.11.0
- HIGH7.5CVE-2023-30585A vulnerability has been identified in the Node.js (.msi version) installation process, specifically affecting Windows users who install No…>= 16.0.0, < 16.20.1, >= 18.0.0, < 18.16.1, >= 20.0.0, < 20.3.1
- HIGH7.5CVE-2023-30586A privilege escalation vulnerability exists in Node.js 20 that allowed loading arbitrary OpenSSL engines when the experimental permission m…>= 20.0.0, < 20.3.1
- HIGH7.5CVE-2023-32558The use of the deprecated API `process.binding()` can bypass the permission model through path traversal.>= 20.0.0, < 20.5.1
- HIGH7.5CVE-2023-39331A previously disclosed vulnerability (CVE-2023-30584) was patched insufficiently in commit 205f1e6.>= 20.0.0, < 20.8.1
- HIGH7.5CVE-2024-22019A vulnerability in Node.js HTTP servers allows an attacker to send a specially crafted HTTP request with chunked encoding, leading to resou…from 0, < 18.19.1, >= 19.0.0, < 20.11.1, >= 21.0.0, < 21.6.2
- >= 16.0.0, < 16.20.1, >= 18.0.0, < 18.16.1, >= 20.0.0, < 20.3.1
- HIGH7.5CVE-2023-30581The use of __proto__ in process.mainModule.__proto__.require() can bypass the policy mechanism and require modules outside of the policy.js…>= 16.0.0, < 16.20.1, >= 18.0.0, < 18.16.1, >= 20.0.0, < 20.3.1
- HIGH7.5CVE-2023-38552When the Node.js policy feature checks the integrity of a resource against a trusted manifest, the application can intercept the operation…from 0, < 18.18.2, >= 19.0.0, < 20.8.1
- HIGH7.5CVE-2023-32559A privilege escalation vulnerability exists in the experimental policy mechanism in all active release lines: 16.x, 18.x and, 20.x.from 0, < 16.20.2, >= 17.0.0, < 18.17.1, >= 19.0.0, < 20.5.1
- >= 16.0.0, < 16.20.1, >= 18.0.0, < 18.16.1, >= 20.0.0, < 20.3.1
- HIGH7.5CVE-2023-23919A cryptographic vulnerability exists in Node.js <19.2.0, <18.14.1, <16.19.1, <14.21.3 that in some cases did does not clear the OpenSSL err…>= 14.0.0, < 14.21.3, >= 16.0.0, < 16.19.1, >= 18.0.0, < 18.14.1, >= 19.0.0, < 19.2.0
- >= 14.0.0, < 14.21.3, >= 16.0.0, < 16.19.1, >= 18.0.0, < 18.14.1, >= 19.0.0, < 19.6.1
- >= 18.0.0, < 18.11.0, >= 18.12.0, < 18.12.1, >= 19.0.0, < 19.0.1
- >= 12.0.0, < 12.12.1, >= 12.13.0, < 12.22.11, >= 14.0.0, < 14.14.1, >= 14.15.0, < 14.19.1, >= 16.0.0, < 16.12.1, >= 16.13.0, < 16.14.2, >= 17.0.0, < 17.7.2
- >= 17.0.0, < 17.3.0
- >= 10.0.0, < 10.12.1, >= 10.13.0, < 10.24.0, >= 12.0.0, < 12.12.1, >= 12.13.0, < 12.21.0, >= 14.0.0, < 14.14.1, >= 14.15.0, < 14.15.1, >= 15.0.0, < 15.10.0
- HIGH7.5CVE-2021-22940Node.js before 16.6.1, 14.17.5, and 12.22.5 is vulnerable to a use after free attack where an attacker might be able to exploit the memory…>= 12.0.0, < 12.22.5, >= 14.0.0, < 14.17.5, >= 16.0.0, < 16.6.2
- HIGH7.5CVE-2021-22884Node.js before 10.24.0, 12.21.0, 14.16.0, and 15.10.0 is vulnerable to DNS rebinding attacks as the whitelist includes “localhost6”.>= 10.0.0, < 10.24.0, >= 12.0.0, < 12.21.0, >= 14.0.0, < 14.16.0, >= 15.0.0, < 15.10.0
- >= 10.0.0, < 10.24.0, >= 12.0.0, < 12.21.0, >= 14.0.0, < 14.16.0, >= 15.0.0, < 15.10.0
- HIGH7.5CVE-2020-8277A Node.js application that allows an attacker to trigger a DNS request for a host of their choice could trigger a Denial of Service in vers…>= 12.16.3, < 12.19.1, >= 14.13.0, < 14.15.1, >= 15.0.0, < 15.2.1
- >= 10.0.0, < 10.12.1, >= 10.13.0, < 10.21.0, >= 12.0.0, < 12.12.1, >= 12.13.0, < 12.18.0, >= 14.0.0, < 14.4.1
- HIGH7.5CVE-2025-59464A memory leak in Node.js’s OpenSSL integration occurs when converting `X.509` certificate fields to UTF-8 without freeing the allocated buf…>= 24.0.0, < 24.12.0
- from 0, < 18.19.1, >= 19.0.0, < 20.11.1, >= 21.0.0, < 21.6.1
- HIGH7.4CVE-2021-44531Accepting arbitrary Subject Alternative Name (SAN) types, unless a PKI is specifically defined to use a particular SAN type, can result in…from 0, < 12.22.9, >= 14.0.0, < 14.18.3, >= 16.0.0, < 16.13.2, >= 17.0.0, < 17.3.1
- >= 10.0.0, < 10.24.1, >= 12.0.0, < 12.22.1, >= 14.0.0, < 14.16.1, >= 15.0.0, < 15.14.0
- HIGH7.4CVE-2020-8201Node.js < 12.18.4 and < 14.11 can be exploited to perform HTTP desync attacks and deliver malicious payloads to unsuspecting users.>= 12.0.0, < 12.18.4, >= 14.0.0, < 14.11.0
- HIGH7.4CVE-2020-8172TLS session reuse can lead to host certificate verification bypass in node version < 12.18.0 and < 14.4.0.>= 12.0.0, < 12.18.0, >= 14.0.0, < 14.4.0
- HIGH7.3CVE-2024-22017setuid() does not affect libuv's internal io_uring operations if initialized before the call to setuid().>= 20.0.0, < 20.11.1, >= 21.0.0, < 21.6.2
- HIGH7.3CVE-2022-32223Node.js is vulnerable to Hijack Execution Flow: DLL Hijacking under certain conditions on Windows platforms.This vulnerability can be explo…>= 14.0.0, < 14.14.1, >= 14.14.0, < 14.20.0, >= 16.0.0, < 16.12.1, >= 16.13.0, < 16.16.0, >= 18.0.0, < 18.0.5
- HIGH7.1CVE-2025-55131A flaw in Node.js's buffer allocation logic can expose uninitialized memory when allocations are interrupted, when using the `vm` module wi…from 0, < 20.20.0, >= 21.0.0, < 22.22.0, >= 23.0.0, < 24.13.0, >= 25.0.0, < 25.3.0
- MEDIUM6.5CVE-2025-23167A flaw in Node.js 20's HTTP parser allows improper termination of HTTP/1 headers using `\r\n\rX` instead of the required `\r\n\r\n`.from 0, < 20.19.2
- from 0, < 18.20.5, >= 19.0.0, < 20.18.1, >= 21.0.0, < 22.12.0
- MEDIUM6.5CVE-2024-21890The Node.js Permission Model does not clarify in the documentation that wildcards should be only used as the last character of a file path.>= 20.0.0, < 20.11.1, >= 21.0.0, < 21.6.2
- MEDIUM6.5CVE-2024-27982The team has identified a critical vulnerability in the http server of the most recent version of Node, where malformed headers can lead to…from 0, < 18.20.1, >= 19.0.0, < 20.12.1, >= 21.0.0, < 21.7.2
- MEDIUM6.5CVE-2024-22025A vulnerability in Node.js has been identified, allowing for a Denial of Service (DoS) attack through resource exhaustion when using the fe…from 0, < 18.19.1, >= 19.0.0, < 20.11.1, >= 21.0.0, < 21.6.2
- MEDIUM6.5CVE-2022-35256The llhttp parser in the http module in Node v18.7.0 does not correctly handle header fields that are not terminated with CLRF.>= 14.0.0, < 14.14.1, >= 14.15.0, < 14.20.1, >= 16.0.0, < 16.12.1, >= 16.13.0, < 16.17.1, >= 18.0.0, < 18.9.1
- MEDIUM6.5CVE-2022-32215The llhttp parser <v14.20.1, <v16.17.1 and <v18.9.1 in the http module in Node.js does not correctly handle multi-line Transfer-Encoding he…>= 14.0.0, < 14.14.1, >= 14.15.0, < 14.20.0, >= 16.0.0, < 16.12.1, >= 16.13.0, < 16.16.0, >= 18.0.0, < 18.5.0
- >= 10.0.0, < 10.23.1, >= 12.0.0, < 12.20.1, >= 14.0.0, < 14.15.4, >= 15.0.0, < 15.5.1
- MEDIUM5.9CVE-2026-21717A flaw in V8's string hashing mechanism causes integer-like strings to be hashed to their numeric value, making hash collisions trivially p…from 0, < 20.20.2, >= 21.0.0, < 22.22.2, >= 23.0.0, < 24.14.1, >= 25.0.0, < 25.8.2
- MEDIUM5.9CVE-2026-21713A flaw in Node.js HMAC verification uses a non-constant-time comparison when validating user-provided signatures, potentially leaking timin…from 0, < 20.20.2, >= 21.0.0, < 22.22.2, >= 23.0.0, < 24.14.1, >= 25.0.0, < 25.8.2
- >= 10.0.0, < 10.12.1, >= 10.13.0, < 10.24.1, >= 12.0.0, < 12.12.1, >= 12.13.0, < 12.22.1, >= 14.0.0, < 14.14.1, >= 14.15.0, < 14.16.1, >= 15.0.0, < 15.14.0
- >= 10.0.0, < 10.12.1, >= 10.13.0, < 10.23.1, >= 12.0.0, < 12.12.1, >= 12.13.0, < 12.20.1, >= 14.15.0, < 14.15.4, >= 15.0.0, < 15.5.0, >= 14.0.0, < 14.14.1
- MEDIUM5.7CVE-2026-21712A flaw in Node.js URL processing causes an assertion failure in native code when `url.format()` is called with a malformed internationalize…>= 24.0.0, < 24.14.1, >= 25.0.0, < 25.8.2
- >= 12.0.0, < 12.12.1, >= 12.13.0, < 12.22.5, >= 14.0.0, < 14.14.1, >= 14.15.0, < 14.17.5, >= 16.0.0, < 16.6.2
- MEDIUM5.5CVE-2025-23084A vulnerability has been identified in Node.js, specifically affecting the handling of drive names in the Windows environment.from 0, < 18.20.6, >= 19.0.0, < 20.18.2, >= 21.0.0, < 22.13.1, >= 23.0.0, < 23.8.0
- MEDIUM5.3CVE-2026-21711A flaw in Node.js Permission Model network enforcement leaves Unix Domain Socket (UDS) server operations without the required permission ch…>= 25.0.0, < 25.8.2
- MEDIUM5.3CVE-2026-21714A memory leak occurs in Node.js HTTP/2 servers when a client sends WINDOW_UPDATE frames on stream 0 (connection-level) that cause the flow…from 0, < 20.20.2, >= 21.0.0, < 22.22.2, >= 23.0.0, < 24.14.1, >= 25.0.0, < 25.8.2
- MEDIUM5.3CVE-2025-55132A flaw in Node.js's permission model allows a file's access and modification timestamps to be changed via `futimes()` even when the process…>= 20.0.0, < 20.20.0, >= 21.0.0, < 22.22.0, >= 23.0.0, < 24.13.0, >= 25.0.0, < 25.3.0
- from 0, < 18.20.6, >= 19.0.0, < 20.18.2, >= 21.0.0, < 22.13.1, >= 23.0.0, < 23.8.0
- MEDIUM5.3CVE-2023-30582A vulnerability has been identified in Node.js version 20, affecting users of the experimental permission model when the --allow-fs-read fl…>= 20.0.0, < 20.3.1
- MEDIUM5.3CVE-2023-39333Maliciously crafted export names in an imported WebAssembly module can inject JavaScript code.from 0, < 18.18.2, >= 19.0.0, < 20.8.1
- MEDIUM5.3CVE-2022-32222A cryptographic vulnerability exists on Node.js on linux in versions of 18.x prior to 18.40.0 which allowed a default path for openssl.cnf…>= 18.0.0, < 18.5.0
- MEDIUM5.3CVE-2023-32003`fs.mkdtemp()` and `fs.mkdtempSync()` can be used to bypass the permission model check using a path traversal attack.>= 20.0.0, < 20.5.1
- MEDIUM5.3CVE-2023-32005A vulnerability has been identified in Node.js version 20, affecting users of the experimental permission model when the --allow-fs-read fl…>= 20.0.0, < 20.5.1
- MEDIUM5.3CVE-2023-30588When an invalid public key is used to create an x509 certificate using the crypto.X509Certificate() API a non-expect termination occurs mak…>= 16.0.0, < 16.20.1, >= 18.0.0, < 18.16.1, >= 20.0.0, < 20.3.1
- MEDIUM5.3CVE-2021-44533Node.js < 12.22.9, < 14.18.3, < 16.13.2, and < 17.3.1 did not handle multi-value Relative Distinguished Names correctly.from 0, < 12.22.9, >= 14.0.0, < 14.18.3, >= 16.0.0, < 16.13.2, >= 17.0.0, < 17.3.1
- MEDIUM5.3CVE-2021-44532Node.js < 12.22.9, < 14.18.3, < 16.13.2, and < 17.3.1 converts SANs (Subject Alternative Names) to a string format.from 0, < 12.22.9, >= 14.0.0, < 14.18.3, >= 16.0.0, < 16.13.2, >= 17.0.0, < 17.3.1
- MEDIUM5.3CVE-2021-22939If the Node.js https API was used incorrectly and "undefined" was in passed for the "rejectUnauthorized" parameter, no error was returned a…>= 12.0.0, < 12.22.5, >= 14.0.0, < 14.17.5, >= 16.0.0, < 16.6.2
- >= 12.0.0, < 12.22.2, >= 14.0.0, < 14.17.2, >= 16.0.0, < 16.4.1
- >= 16.0.0, < 16.19.1, >= 18.0.0, < 18.14.1, >= 19.0.0, < 19.6.1
- >= 14.0.0, < 14.21.3, >= 16.0.0, < 16.19.1, >= 18.0.0, < 18.14.1, >= 19.0.0, < 19.6.1
- LOW3.7CVE-2025-23165In Node.js, the `ReadFileUtf8` internal binding leaks memory due to a corrupted pointer in `uv_fs_s.file`: a UTF-16 path buffer is allocate…from 0, < 20.19.2, >= 21.0.0, < 22.15.1
- LOW3.6CVE-2024-37372The Permission Model assumes that any path starting with two backslashes \ has a four-character prefix that can be ignored, which is not al…>= 19.0.0, < 20.18.1, >= 21.0.0, < 22.12.0
- LOW3.3CVE-2026-21716An incomplete fix for CVE-2024-36137 leaves `FileHandle.chmod()` and `FileHandle.chown()` in the promises API without the required permissi…from 0, < 20.20.2, >= 21.0.0, < 22.22.2, >= 23.0.0, < 24.14.1, >= 25.0.0, < 25.8.2
- LOW3.3CVE-2026-21715A flaw in Node.js Permission Model filesystem enforcement leaves `fs.realpathSync.native()` without the required read permission checks, wh…from 0, < 20.20.2, >= 21.0.0, < 22.22.2, >= 23.0.0, < 24.14.1, >= 25.0.0, < 25.8.2
- LOW3.3CVE-2024-36137A vulnerability has been identified in Node.js, affecting users of the experimental permission model when the --allow-fs-write flag is used.>= 20.0.0, < 20.18.1, >= 21.0.0, < 22.12.0
- LOW2.9CVE-2024-22018A vulnerability has been identified in Node.js, affecting users of the experimental permission model when the --allow-fs-read flag is used.>= 20.0.0, < 20.18.1, >= 21.0.0, < 22.12.0
- —CVE-2025-23122Rejected reason: This CVE record has been withdrawn due to a duplicate entry CVE-2025-23165.from 0, < 20.19.2, >= 21.0.0, < 22.15.1
- —CVE-2025-23087Rejected reason: This Record was REJECTED after determining it is not in compliance with CVE Program requirements regarding assignment for…from 0, <= 0.12.18, >= 1.0.0, <= 1.8.4, >= 2.0.0, <= 2.13.2, >= 3.0.0, <= 3.3.1, >= 4.0.0, <= 4.9.1, >= 5.0.0, <= 5.12.0, >= 6.0.0, <= 6.17.1, >= 7.0.0, <= 7.10.1, >= 8.0.0, <= 8.17.0, >= 9.0.0, <= 9.11.2, >= 10.0.0, <= 10.24.1, >= 11.0.0, <= 11.15.0, >= 12.0.0, <= 12.22.12, >= 13.0.0, <= 13.14.0, >= 14.0.0, <= 14.21.3, >= 15.0.0, <= 15.14.0, >= 16.0.0, <= 16.20.2, >= 17.0.0, <= 17.9.1
- —CVE-2025-23088Rejected reason: This Record was REJECTED after determining it is not in compliance with CVE Program requirements regarding assignment for…>= 19.0.0, <= 19.9.0
- —CVE-2025-23089Rejected reason: This Record was REJECTED after determining it is not in compliance with CVE Program requirements regarding assignment for…>= 21.0.0, <= 21.7.3
- —CVE-2025-23090Rejected reason: This CVE record has been withdrawn due to a duplicate entry CVE-2025-23083.>= 19.0.0, < 20.18.2, >= 21.0.0, < 22.13.1, >= 23.0.0, < 23.8.0