from 0, < 18.18.2, >= 19.0.0, < 20.8.1
CRITICAL10.0CVE-2026-21636A flaw in Node.js's permission model allows Unix Domain Socket (UDS) connections to bypass network restrictions when `--permission` is enab… >= 25.0.0, < 25.3.0
CRITICAL10.0Command injection vulnerability in programing languages on Microsoft Windows operating system.
>= 1.77.2, < 18.19.0
CRITICAL9.8The permission model protects itself against path traversal attacks by calling path.resolve() on any paths given by the user.
>= 20.0.0, < 20.12.0, >= 21.0.0, < 22.1.0
CRITICAL9.8Various `node:fs` functions allow specifying paths as either strings or `Uint8Array` objects.
>= 20.0.0, < 20.8.0
CRITICAL9.8The use of `Module._load()` can bypass the policy mechanism and require modules outside of the policy.json definition for a given module.
from 0, < 16.20.2, >= 17.0.0, < 18.17.1, >= 19.0.0, < 20.5.1
CRITICAL9.8X.509 Email Address 4-byte Buffer Overflow
>= 18.0.0, < 18.11.0, >= 18.12.0, < 18.12.1, >= 19.0.0, < 19.0.1
CRITICAL9.8nodejs - security update
>= 12.0.0, < 12.22.4, >= 14.0.0, < 14.17.4, >= 16.0.0, < 16.6.0
CRITICAL9.8Node.js before 16.6.0, 14.17.4, and 12.22.4 is vulnerable to Remote Code Execution, XSS, Application crashes due to missing input validatio…
>= 12.0.0, < 12.12.1, >= 12.13.0, < 12.22.5, >= 14.0.0, < 14.14.1, >= 14.15.0, < 14.17.5, >= 16.0.0, < 16.6.2
CRITICAL9.1A flaw in Node.js’s Permissions model allows attackers to bypass `--allow-fs-read` and `--allow-fs-write` restrictions using crafted relati…
>= 20.0.0, < 20.20.0, >= 21.0.0, < 22.22.0, >= 23.0.0, < 24.13.0, >= 25.0.0, < 25.3.0
CRITICAL9.1A weak randomness in WebCrypto keygen vulnerability exists in Node.js 18 due to a change with EntropySource() in SecretKeyGenTraits::DoKeyG…
>= 15.0.0, < 15.14.1, >= 16.0.0, < 16.12.1, >= 16.13.0, < 16.17.1, >= 18.0.0, < 18.9.1
CRITICAL9.1llhttp allows HTTP Request Smuggling via Flawed Parsing of Transfer-Encoding
>= 14.0.0, < 14.14.1, >= 14.15.0, < 14.20.1, >= 16.0.0, < 16.12.1, >= 16.13.0, < 16.17.1, >= 18.0.0, < 18.9.1
CRITICAL9.1llhttp allows HTTP Request Smuggling via Improper Delimiting of Header Fields
>= 14.0.0, < 14.14.1, >= 14.15.0, < 14.20.0, >= 16.0.0, < 16.12.1, >= 16.13.0, < 16.16.0, >= 18.0.0, < 18.5.0
HIGH8.8Node.js depends on multiple built-in utility functions to normalize paths provided to node:fs functions, which can be overwitten with user-…
>= 20.0.0, < 20.11.1, >= 21.0.0, < 21.6.2
HIGH8.8A vulnerability has been discovered in Node.js version 20, specifically within the experimental permission model.
>= 20.0.0, < 20.5.1
HIGH8.8The use of `module.constructor.createRequire()` can bypass the policy mechanism and require modules outside of the policy.json definition f…
from 0, < 16.20.2, >= 17.0.0, < 18.17.1, >= 19.0.0, < 20.5.1
HIGH8.8icu - security update
>= 10.13.0, < 10.21.0
HIGH8.2An attacker can make the Node.js HTTP/2 server completely unavailable by sending a small amount of HTTP/2 frames packets with a few HTTP/2…
from 0, < 18.20.1, >= 19.0.0, < 20.12.1, >= 21.0.0, < 21.7.2
HIGH8.2Due to the formatting logic of the "console.table()" function it was not safe to allow user controlled input to be passed to the "propertie…
>= 12.0.0, < 12.22.9, >= 14.0.0, < 14.18.3, >= 16.0.0, < 16.13.2, >= 17.0.0, < 17.3.1
HIGH8.1Due to the improper handling of batch files in child_process.spawn / child_process.spawnSync, a malicious command line argument can inject…
from 0, < 18.20.2, >= 19.0.0, < 20.12.2, >= 21.0.0, < 21.7.3
HIGH8.1Bypass incomplete fix of CVE-2024-27980, that arises from improper handling of batch files with all possible extensions on Windows via chil…
from 0, < 18.20.4, >= 19.0.0, < 20.15.1, >= 21.0.0, < 22.4.1
HIGH8.1nodejs - security update
>= 14.0.0, < 14.14.1, >= 14.15.0, < 14.21.1, >= 16.0.0, < 16.12.1, >= 16.13.0, < 16.18.1, >= 18.0.0, < 18.11.1, >= 18.12.0, < 18.12.1, >= 19.0.0, < 19.0.1
HIGH8.1nodejs - security update
>= 14.0.0, < 14.14.1, >= 14.15.0, < 14.20.1, >= 16.0.0, < 16.12.1, >= 16.13.0, < 16.17.1, >= 18.0.0, < 18.5.0
HIGH8.1nodejs - security update
>= 10.0.0, < 10.23.1, >= 12.0.0, < 12.20.1, >= 14.0.0, < 14.15.4, >= 15.0.0, < 15.5.1
HIGH8.1napi_get_value_string_*() allows various kinds of memory corruption in node < 10.21.0, 12.18.0, and < 14.4.0.
from 0, < 10.21.0, >= 12.0.0, < 12.18.0, >= 14.0.0, < 14.4.0
HIGH7.8Node.js before 16.4.1, 14.17.2, and 12.22.2 is vulnerable to local privilege escalation attacks under certain conditions on Windows platfor…
>= 12.0.0, < 12.22.2, >= 14.0.0, < 14.17.2, >= 16.0.0, < 16.4.1
HIGH7.8On Linux, Node.js ignores certain environment variables if those may have been set by an unprivileged user while the process is running wit…
from 0, < 18.19.1, >= 19.0.0, < 20.11.1, >= 21.0.0, < 21.6.2
HIGH7.8The implementation of realpath in libuv < 10.22.1, < 12.18.4, and < 14.9.0 used within Node.js incorrectly determined the buffer size which…
>= 10.0.0, < 10.22.1, >= 12.0.0, < 12.18.4, >= 14.0.0, < 14.9.0
HIGH7.7With the aid of the diagnostics_channel utility, an event can be hooked into whenever a worker thread is created.
>= 19.0.0, < 20.18.2, >= 21.0.0, < 22.13.1, >= 23.0.0, < 23.8.0
HIGH7.7A vulnerability has been discovered in Node.js version 20, specifically within the experimental permission model.
>= 20.0.0, < 20.3.1
HIGH7.5A flaw in Node.js HTTP request handling causes an uncaught `TypeError` when a request is received with a header named `__proto__` and the a…
from 0, < 20.20.2, >= 21.0.0, < 22.22.2, >= 23.0.0, < 24.14.1, >= 25.0.0, < 25.8.2
HIGH7.5nodejs - security update
from 0, < 20.20.0, >= 21.0.0, < 22.22.0, >= 23.0.0, < 24.13.0, >= 25.0.0, < 25.3.0
HIGH7.5We have identified a bug in Node.js error handling where "Maximum call stack size exceeded" errors become uncatchable when `async_hooks.cre…
from 0, < 20.20.0, >= 21.0.0, < 22.22.0, >= 23.0.0, < 24.13.0, >= 25.0.0, < 25.3.0
HIGH7.5A malformed `HTTP/2 HEADERS` frame with oversized, invalid `HPACK` data can cause Node.js to crash by triggering an unhandled `TLSSocket` e…
from 0, < 20.20.0, >= 21.0.0, < 22.22.0, >= 23.0.0, < 24.13.0, >= 25.0.0, < 25.3.0
HIGH7.5An incomplete fix has been identified for CVE-2025-23084 in Node.js, specifically affecting Windows device names like CON, PRN, and AUX.
>= 4.0.0, < 20.19.4, >= 22.0.0, < 22.17.1, >= 24.0.0, < 24.4.1
HIGH7.5The V8 release used in Node.js v24.0.0 has changed how string hashes are computed using rapidhash.
>= 24.0.0, < 24.4.1
HIGH7.5The C++ method SignTraits::DeriveBits() may incorrectly call ThrowException() based on user-supplied inputs when executing in a background…
from 0, < 20.19.2, >= 21.0.0, < 22.15.1, >= 23.0.0, < 24.0.2
HIGH7.5fs.openAsBlob() can bypass the experimental permission model when using the file system read restriction with the `--allow-fs-read` flag in…
>= 20.0.0, < 20.3.1
HIGH7.5A vulnerability in Node.js version 20 allows for bypassing restrictions set by the --experimental-permission flag using the built-in inspec…
>= 20.0.0, < 20.3.1
HIGH7.5Node.js < 14.11.0 is vulnerable to HTTP denial of service (DoS) attacks based on delayed requests submission which can make the server unab…
>= 14.0.0, < 14.11.0
HIGH7.5A vulnerability has been identified in the Node.js (.msi version) installation process, specifically affecting Windows users who install No…
>= 16.0.0, < 16.20.1, >= 18.0.0, < 18.16.1, >= 20.0.0, < 20.3.1
HIGH7.5A privilege escalation vulnerability exists in Node.js 20 that allowed loading arbitrary OpenSSL engines when the experimental permission m…
>= 20.0.0, < 20.3.1
HIGH7.5The use of the deprecated API `process.binding()` can bypass the permission model through path traversal.
>= 20.0.0, < 20.5.1
HIGH7.5A previously disclosed vulnerability (CVE-2023-30584) was patched insufficiently in commit 205f1e6.
>= 20.0.0, < 20.8.1
HIGH7.5A vulnerability in Node.js HTTP servers allows an attacker to send a specially crafted HTTP request with chunked encoding, leading to resou…
from 0, < 18.19.1, >= 19.0.0, < 20.11.1, >= 21.0.0, < 21.6.2
HIGH7.5nodejs - security update
>= 16.0.0, < 16.20.1, >= 18.0.0, < 18.16.1, >= 20.0.0, < 20.3.1
HIGH7.5The use of __proto__ in process.mainModule.__proto__.require() can bypass the policy mechanism and require modules outside of the policy.js…
>= 16.0.0, < 16.20.1, >= 18.0.0, < 18.16.1, >= 20.0.0, < 20.3.1
HIGH7.5When the Node.js policy feature checks the integrity of a resource against a trusted manifest, the application can intercept the operation…
from 0, < 18.18.2, >= 19.0.0, < 20.8.1
HIGH7.5A privilege escalation vulnerability exists in the experimental policy mechanism in all active release lines: 16.x, 18.x and, 20.x.
from 0, < 16.20.2, >= 17.0.0, < 18.17.1, >= 19.0.0, < 20.5.1
HIGH7.5nodejs - security update
>= 16.0.0, < 16.20.1, >= 18.0.0, < 18.16.1, >= 20.0.0, < 20.3.1
HIGH7.5A cryptographic vulnerability exists in Node.js <19.2.0, <18.14.1, <16.19.1, <14.21.3 that in some cases did does not clear the OpenSSL err…
>= 14.0.0, < 14.21.3, >= 16.0.0, < 16.19.1, >= 18.0.0, < 18.14.1, >= 19.0.0, < 19.2.0
HIGH7.5nodejs - security update
>= 14.0.0, < 14.21.3, >= 16.0.0, < 16.19.1, >= 18.0.0, < 18.14.1, >= 19.0.0, < 19.6.1
HIGH7.5X.509 Email Address Variable Length Buffer Overflow
>= 18.0.0, < 18.11.0, >= 18.12.0, < 18.12.1, >= 19.0.0, < 19.0.1
HIGH7.5Infinite loop in BN_mod_sqrt() reachable when parsing certificates
>= 12.0.0, < 12.12.1, >= 12.13.0, < 12.22.11, >= 14.0.0, < 14.14.1, >= 14.15.0, < 14.19.1, >= 16.0.0, < 16.12.1, >= 16.13.0, < 16.14.2, >= 17.0.0, < 17.7.2
HIGH7.5Invalid handling of X509_verify_cert() internal errors in libssl
>= 17.0.0, < 17.3.0
HIGH7.5Integer overflow in CipherUpdate
>= 10.0.0, < 10.12.1, >= 10.13.0, < 10.24.0, >= 12.0.0, < 12.12.1, >= 12.13.0, < 12.21.0, >= 14.0.0, < 14.14.1, >= 14.15.0, < 14.15.1, >= 15.0.0, < 15.10.0
HIGH7.5Node.js before 16.6.1, 14.17.5, and 12.22.5 is vulnerable to a use after free attack where an attacker might be able to exploit the memory…
>= 12.0.0, < 12.22.5, >= 14.0.0, < 14.17.5, >= 16.0.0, < 16.6.2
HIGH7.5Node.js before 10.24.0, 12.21.0, 14.16.0, and 15.10.0 is vulnerable to DNS rebinding attacks as the whitelist includes “localhost6”.
>= 10.0.0, < 10.24.0, >= 12.0.0, < 12.21.0, >= 14.0.0, < 14.16.0, >= 15.0.0, < 15.10.0
HIGH7.5nodejs - security update
>= 10.0.0, < 10.24.0, >= 12.0.0, < 12.21.0, >= 14.0.0, < 14.16.0, >= 15.0.0, < 15.10.0
HIGH7.5A Node.js application that allows an attacker to trigger a DNS request for a host of their choice could trigger a Denial of Service in vers…
>= 12.16.3, < 12.19.1, >= 14.13.0, < 14.15.1, >= 15.0.0, < 15.2.1
HIGH7.5Denial of service in nghttp2
>= 10.13.0, < 10.21.0, >= 12.13.0, < 12.18.0, >= 14.0.0, < 14.4.1
HIGH7.5A memory leak in Node.js’s OpenSSL integration occurs when converting `X.509` certificate fields to UTF-8 without freeing the allocated buf…
>= 24.0.0, < 24.12.0
HIGH7.4nodejs - security update
from 0, < 18.19.1, >= 19.0.0, < 20.11.1, >= 21.0.0, < 21.6.1
HIGH7.4Accepting arbitrary Subject Alternative Name (SAN) types, unless a PKI is specifically defined to use a particular SAN type, can result in…
from 0, < 12.22.9, >= 14.0.0, < 14.18.3, >= 16.0.0, < 16.13.2, >= 17.0.0, < 17.3.1
HIGH7.4CA certificate check bypass with X509_V_FLAG_X509_STRICT
>= 10.0.0, < 10.24.1, >= 12.0.0, < 12.22.1, >= 14.0.0, < 14.16.1, >= 15.0.0, < 15.14.0
HIGH7.4Node.js < 12.18.4 and < 14.11 can be exploited to perform HTTP desync attacks and deliver malicious payloads to unsuspecting users.
>= 12.0.0, < 12.18.4, >= 14.0.0, < 14.11.0
HIGH7.4TLS session reuse can lead to host certificate verification bypass in node version < 12.18.0 and < 14.4.0.
>= 12.0.0, < 12.18.0, >= 14.0.0, < 14.4.0
HIGH7.3setuid() does not affect libuv's internal io_uring operations if initialized before the call to setuid().
>= 20.0.0, < 20.11.1, >= 21.0.0, < 21.6.2
HIGH7.3Node.js is vulnerable to Hijack Execution Flow: DLL Hijacking under certain conditions on Windows platforms.This vulnerability can be explo…
>= 14.0.0, < 14.14.1, >= 14.14.0, < 14.20.0, >= 16.0.0, < 16.12.1, >= 16.13.0, < 16.16.0, >= 18.0.0, < 18.0.5
HIGH7.1A flaw in Node.js's buffer allocation logic can expose uninitialized memory when allocations are interrupted, when using the `vm` module wi…
from 0, < 20.20.0, >= 21.0.0, < 22.22.0, >= 23.0.0, < 24.13.0, >= 25.0.0, < 25.3.0
MEDIUM6.5A flaw in Node.js 20's HTTP parser allows improper termination of HTTP/1 headers using `\r\n\rX` instead of the required `\r\n\r\n`.
from 0, < 20.19.2
MEDIUM6.5A security flaw in Node.js allows a bypass of network import restrictions.
from 0, < 18.20.4, >= 19.0.0, < 20.15.1, >= 21.0.0, < 22.4.1
MEDIUM6.5The Node.js Permission Model does not clarify in the documentation that wildcards should be only used as the last character of a file path.
>= 20.0.0, < 20.11.1, >= 21.0.0, < 21.6.2
MEDIUM6.5The team has identified a critical vulnerability in the http server of the most recent version of Node, where malformed headers can lead to…
from 0, < 18.20.1, >= 19.0.0, < 20.12.1, >= 21.0.0, < 21.7.2
MEDIUM6.5A vulnerability in Node.js has been identified, allowing for a Denial of Service (DoS) attack through resource exhaustion when using the fe…
from 0, < 18.19.1, >= 19.0.0, < 20.11.1, >= 21.0.0, < 21.6.2
MEDIUM6.5The llhttp parser in the http module in Node v18.7.0 does not correctly handle header fields that are not terminated with CLRF.
>= 14.0.0, < 14.14.1, >= 14.15.0, < 14.20.1, >= 16.0.0, < 16.12.1, >= 16.13.0, < 16.17.1, >= 18.0.0, < 18.9.1
MEDIUM6.5The llhttp parser <v14.20.1, <v16.17.1 and <v18.9.1 in the http module in Node.js does not correctly handle multi-line Transfer-Encoding he…
>= 14.0.0, < 14.14.1, >= 14.15.0, < 14.20.0, >= 16.0.0, < 16.12.1, >= 16.13.0, < 16.16.0, >= 18.0.0, < 18.5.0
MEDIUM6.5http-parser - security update
>= 10.0.0, < 10.23.1, >= 12.0.0, < 12.20.1, >= 14.0.0, < 14.15.4, >= 15.0.0, < 15.5.1
MEDIUM5.9A flaw in V8's string hashing mechanism causes integer-like strings to be hashed to their numeric value, making hash collisions trivially p…
from 0, < 20.20.2, >= 21.0.0, < 22.22.2, >= 23.0.0, < 24.14.1, >= 25.0.0, < 25.8.2
MEDIUM5.9A flaw in Node.js HMAC verification uses a non-constant-time comparison when validating user-provided signatures, potentially leaking timin…
from 0, < 20.20.2, >= 21.0.0, < 22.22.2, >= 23.0.0, < 24.14.1, >= 25.0.0, < 25.8.2
MEDIUM5.9NULL pointer deref in signature_algorithms processing
>= 10.0.0, < 10.12.1, >= 10.13.0, < 10.24.1, >= 12.0.0, < 12.12.1, >= 12.13.0, < 12.22.1, >= 14.0.0, < 14.14.1, >= 14.15.0, < 14.16.1, >= 15.0.0, < 15.14.0
MEDIUM5.9EDIPARTYNAME NULL pointer dereference
>= 10.13.0, < 10.23.1, >= 12.13.0, < 12.20.1, >= 14.15.0, < 14.15.4, >= 15.0.0, < 15.5.0
MEDIUM5.7A flaw in Node.js URL processing causes an assertion failure in native code when `url.format()` is called with a malformed internationalize…
>= 24.0.0, < 24.14.1, >= 25.0.0, < 25.8.2
MEDIUM5.6c-ares - security update
>= 12.0.0, < 12.12.1, >= 12.13.0, < 12.22.5, >= 14.0.0, < 14.14.1, >= 14.15.0, < 14.17.5, >= 16.0.0, < 16.6.2
MEDIUM5.5A vulnerability has been identified in Node.js, specifically affecting the handling of drive names in the Windows environment.
from 0, < 18.20.6, >= 19.0.0, < 20.18.2, >= 21.0.0, < 22.13.1, >= 23.0.0, < 23.8.0
MEDIUM5.3A flaw in Node.js Permission Model network enforcement leaves Unix Domain Socket (UDS) server operations without the required permission ch…
>= 25.0.0, < 25.8.2
MEDIUM5.3A memory leak occurs in Node.js HTTP/2 servers when a client sends WINDOW_UPDATE frames on stream 0 (connection-level) that cause the flow…
from 0, < 20.20.2, >= 21.0.0, < 22.22.2, >= 23.0.0, < 24.14.1, >= 25.0.0, < 25.8.2
MEDIUM5.3A flaw in Node.js's permission model allows a file's access and modification timestamps to be changed via `futimes()` even when the process…
>= 20.0.0, < 20.20.0, >= 21.0.0, < 22.22.0, >= 23.0.0, < 24.13.0, >= 25.0.0, < 25.3.0
MEDIUM5.3nodejs - security update
from 0, < 18.20.6, >= 19.0.0, < 20.18.2, >= 21.0.0, < 22.13.1, >= 23.0.0, < 23.8.0
MEDIUM5.3A vulnerability has been identified in Node.js version 20, affecting users of the experimental permission model when the --allow-fs-read fl…
>= 20.0.0, < 20.3.1
MEDIUM5.3Maliciously crafted export names in an imported WebAssembly module can inject JavaScript code.
from 0, < 18.18.2, >= 19.0.0, < 20.8.1
MEDIUM5.3A cryptographic vulnerability exists on Node.js on linux in versions of 18.x prior to 18.40.0 which allowed a default path for openssl.cnf…
>= 18.0.0, < 18.5.0
MEDIUM5.3`fs.mkdtemp()` and `fs.mkdtempSync()` can be used to bypass the permission model check using a path traversal attack.
>= 20.0.0, < 20.5.1
MEDIUM5.3A vulnerability has been identified in Node.js version 20, affecting users of the experimental permission model when the --allow-fs-read fl…
>= 20.0.0, < 20.5.1
MEDIUM5.3When an invalid public key is used to create an x509 certificate using the crypto.X509Certificate() API a non-expect termination occurs mak…
>= 16.0.0, < 16.20.1, >= 18.0.0, < 18.16.1, >= 20.0.0, < 20.3.1
MEDIUM5.3Node.js < 12.22.9, < 14.18.3, < 16.13.2, and < 17.3.1 did not handle multi-value Relative Distinguished Names correctly.
from 0, < 12.22.9, >= 14.0.0, < 14.18.3, >= 16.0.0, < 16.13.2, >= 17.0.0, < 17.3.1
MEDIUM5.3Node.js < 12.22.9, < 14.18.3, < 16.13.2, and < 17.3.1 converts SANs (Subject Alternative Names) to a string format.
from 0, < 12.22.9, >= 14.0.0, < 14.18.3, >= 16.0.0, < 16.13.2, >= 17.0.0, < 17.3.1
MEDIUM5.3If the Node.js https API was used incorrectly and "undefined" was in passed for the "rejectUnauthorized" parameter, no error was returned a…
>= 12.0.0, < 12.22.5, >= 14.0.0, < 14.17.5, >= 16.0.0, < 16.6.2
MEDIUM5.3libuv1 - security update
>= 12.0.0, < 12.22.2, >= 14.0.0, < 14.17.2, >= 16.0.0, < 16.4.1
MEDIUM4.6CRLF Injection in Nodejs ‘undici’ via host
>= 16.0.0, < 16.19.1, >= 18.0.0, < 18.14.1, >= 19.0.0, < 19.6.1
MEDIUM4.2nodejs - security update
>= 14.0.0, < 14.21.3, >= 16.0.0, < 16.19.1, >= 18.0.0, < 18.14.1, >= 19.0.0, < 19.6.1
LOW3.7In Node.js, the `ReadFileUtf8` internal binding leaks memory due to a corrupted pointer in `uv_fs_s.file`: a UTF-16 path buffer is allocate…
from 0, < 20.19.2, >= 21.0.0, < 22.15.1
LOW3.6The Permission Model assumes that any path starting with two backslashes \ has a four-character prefix that can be ignored, which is not al…
>= 19.0.0, < 20.15.1, >= 21.0.0, < 22.4.1
LOW3.3An incomplete fix for CVE-2024-36137 leaves `FileHandle.chmod()` and `FileHandle.chown()` in the promises API without the required permissi…
from 0, < 20.20.2, >= 21.0.0, < 22.22.2, >= 23.0.0, < 24.14.1, >= 25.0.0, < 25.8.2
LOW3.3A flaw in Node.js Permission Model filesystem enforcement leaves `fs.realpathSync.native()` without the required read permission checks, wh…
from 0, < 20.20.2, >= 21.0.0, < 22.22.2, >= 23.0.0, < 24.14.1, >= 25.0.0, < 25.8.2
LOW3.3A vulnerability has been identified in Node.js, affecting users of the experimental permission model when the --allow-fs-write flag is used.
>= 20.0.0, < 20.15.1, >= 21.0.0, < 22.4.1
LOW2.9A vulnerability has been identified in Node.js, affecting users of the experimental permission model when the --allow-fs-read flag is used.
>= 20.0.0, < 20.15.1, >= 21.0.0, < 22.4.1
—Rejected reason: This CVE record has been withdrawn due to a duplicate entry CVE-2025-23165.
from 0, < 20.19.2, >= 21.0.0, < 22.15.1
—Rejected reason: This Record was REJECTED after determining it is not in compliance with CVE Program requirements regarding assignment for…
from 0, <= 0.12.18, >= 1.0.0, <= 1.8.4, >= 2.0.0, <= 2.13.2, >= 3.0.0, <= 3.3.1, >= 4.0.0, <= 4.9.1, >= 5.0.0, <= 5.12.0, >= 6.0.0, <= 6.17.1, >= 7.0.0, <= 7.10.1, >= 8.0.0, <= 8.17.0, >= 9.0.0, <= 9.11.2, >= 10.0.0, <= 10.24.1, >= 11.0.0, <= 11.15.0, >= 12.0.0, <= 12.22.12, >= 13.0.0, <= 13.14.0, >= 14.0.0, <= 14.21.3, >= 15.0.0, <= 15.14.0, >= 16.0.0, <= 16.20.2, >= 17.0.0, <= 17.9.1
—Rejected reason: This Record was REJECTED after determining it is not in compliance with CVE Program requirements regarding assignment for…
>= 19.0.0, <= 19.9.0
—Rejected reason: This Record was REJECTED after determining it is not in compliance with CVE Program requirements regarding assignment for…
>= 21.0.0, <= 21.7.3
—Rejected reason: This CVE record has been withdrawn due to a duplicate entry CVE-2025-23083.
>= 19.0.0, < 20.18.2, >= 21.0.0, < 22.13.1, >= 23.0.0, < 23.8.0