pkg:Debian/nodejs
115 total CVEsCRITICAL10HIGH66MEDIUM30LOW5
✅ Check your installed version
All known vulnerabilities
- CRITICAL9.8CVE-2023-32002The use of `Module._load()` can bypass the policy mechanism and require modules outside of the policy.json definition for a given module.from 0
- from 0, < 10.24.0~dfsg-1~deb10u2
- from 0, < 12.22.5~dfsg-2~11u1
- CRITICAL9.8CVE-2019-15606Including trailing white space in HTTP header values in Nodejs 10, 12, and 13 causes bypass of authorization based on header value comparis…from 0, < 10.19.0~dfsg-1
- CRITICAL9.8CVE-2019-15605HTTP request smuggling in Node.js 10, 12, and 13 causes malicious payload delivery when transfer-encoding is malformedfrom 0, < 10.19.0~dfsg-1
- CRITICAL9.8CVE-2015-6764The BasicJsonStringifier::SerializeJSArray function in json-stringifier.h in the JSON stringifier in Google V8, as used in Google Chrome be…from 0, < 4.2.3~dfsg-1
- CRITICAL9.1CVE-2025-55130A flaw in Node.js’s Permissions model allows attackers to bypass `--allow-fs-read` and `--allow-fs-write` restrictions using crafted relati…from 0, < 20.19.2+dfsg-1+deb13u1
- CRITICAL9.1CVE-2022-35255A weak randomness in WebCrypto keygen vulnerability exists in Node.js 18 due to a change with EntropySource() in SecretKeyGenTraits::DoKeyG…from 0, < 12.22.12~dfsg-1~deb11u3
- CRITICAL9.1CVE-2022-32214llhttp allows HTTP Request Smuggling via Improper Delimiting of Header Fieldsfrom 0, < 12.22.12~dfsg-1~deb11u3
- CRITICAL9.1CVE-2022-32213llhttp allows HTTP Request Smuggling via Flawed Parsing of Transfer-Encodingfrom 0, < 12.22.12~dfsg-1~deb11u3
- HIGH8.8CVE-2023-32006The use of `module.constructor.createRequire()` can bypass the policy mechanism and require modules outside of the policy.json definition f…from 0
- HIGH8.8CVE-2018-7160The Node.js inspector, in 6.x and later is vulnerable to a DNS rebinding attack which could be exploited to perform remote code execution.from 0, < 8.11.1~dfsg-2
- HIGH8.8CVE-2016-1669The Zone::New function in zone.cc in Google V8 before 5.0.71.47, as used in Google Chrome before 50.0.2661.102, does not properly determine…from 0, < 4.4.6~dfsg-1
- HIGH8.2CVE-2024-27983An attacker can make the Node.js HTTP/2 server completely unavailable by sending a small amount of HTTP/2 frames packets with a few HTTP/2…from 0, < 12.22.12~dfsg-1~deb11u5
- HIGH8.2CVE-2022-21824Due to the formatting logic of the "console.table()" function it was not safe to allow user controlled input to be passed to the "propertie…from 0, < 12.22.12~dfsg-1~deb11u1
- from 0, < 10.24.0~dfsg-1~deb10u3
- from 0, < 12.22.12~dfsg-1~deb11u3
- from 0, < 12.22.12~dfsg-1~deb11u3
- from 0, < 12.22.12~dfsg-1~deb11u3
- from 0, < 10.23.1~dfsg-1~deb10u1
- from 0, < 12.20.1~dfsg-1
- HIGH8.1CVE-2020-8174napi_get_value_string_*() allows various kinds of memory corruption in node < 10.21.0, 12.18.0, and < 14.4.0.from 0, < 10.21.0~dfsg-1
- HIGH8.1CVE-2014-9748The uv_rwlock_t fallback implementation for Windows XP and Server 2003 in libuv before 1.7.4 does not properly prevent threads from releasi…from 0, < 4.0.0~dfsg-1
- HIGH8.1CVE-2018-12120Node.js: All versions prior to Node.js 6.15.0: Debugger port 5858 listens on any interface by default: When the debugger is enabled with `n…from 0, < 8.9.3~dfsg-5
- HIGH7.8CVE-2024-21892On Linux, Node.js ignores certain environment variables if those may have been set by an unprivileged user while the process is running wit…from 0, < 18.20.4+dfsg-1~deb12u1
- HIGH7.7CVE-2025-23083With the aid of the diagnostics_channel utility, an event can be hooked into whenever a worker thread is created.from 0, < 20.18.2+dfsg-1
- HIGH7.5CVE-2026-21710A flaw in Node.js HTTP request handling causes an uncaught `TypeError` when a request is received with a header named `__proto__` and the a…from 0, < 18.20.4+dfsg-1~deb12u2
- from 0, < 12.22.12~dfsg-1~deb11u8
- from 0, < 20.19.2+dfsg-1+deb13u2
- HIGH7.5CVE-2025-59466We have identified a bug in Node.js error handling where "Maximum call stack size exceeded" errors become uncatchable when `async_hooks.cre…from 0
- HIGH7.5CVE-2025-59465A malformed `HTTP/2 HEADERS` frame with oversized, invalid `HPACK` data can cause Node.js to crash by triggering an unhandled `TLSSocket` e…from 0, < 12.22.12~dfsg-1~deb11u8
- HIGH7.5CVE-2025-23166The C++ method SignTraits::DeriveBits() may incorrectly call ThrowException() based on user-supplied inputs when executing in a background…from 0, < 18.20.4+dfsg-1~deb12u2
- HIGH7.5CVE-2024-22019A vulnerability in Node.js HTTP servers allows an attacker to send a specially crafted HTTP request with chunked encoding, leading to resou…from 0, < 12.22.12~dfsg-1~deb11u5
- from 0, < 10.16.3~dfsg-1
- from 0, < 12.22.12~dfsg-1~deb11u5
- from 0, < 10.24.0~dfsg-1~deb10u4
- HIGH7.5CVE-2023-30581The use of __proto__ in process.mainModule.__proto__.require() can bypass the policy mechanism and require modules outside of the policy.js…from 0
- HIGH7.5CVE-2023-38552When the Node.js policy feature checks the integrity of a resource against a trusted manifest, the application can intercept the operation…from 0, < 18.19.0+dfsg-6~deb12u1
- HIGH7.5CVE-2023-32559A privilege escalation vulnerability exists in the experimental policy mechanism in all active release lines: 16.x, 18.x and, 20.x.from 0, < 12.22.12~dfsg-1~deb11u5
- from 0, < 12.22.12~dfsg-1~deb11u5
- from 0, < 12.22.12~dfsg-1~deb11u5
- HIGH7.5CVE-2023-23919A cryptographic vulnerability exists in Node.js <19.2.0, <18.14.1, <16.19.1, <14.21.3 that in some cases did does not clear the OpenSSL err…from 0, < 18.19.0+dfsg-6~deb12u1
- from 0, < 18.19.0+dfsg-6~deb12u1
- from 0, < 18.19.0+dfsg-6~deb12u1
- HIGH7.5CVE-2021-22940Node.js before 16.6.1, 14.17.5, and 12.22.5 is vulnerable to a use after free attack where an attacker might be able to exploit the memory…from 0, < 12.22.5~dfsg-1
- HIGH7.5CVE-2021-22884Node.js before 10.24.0, 12.21.0, 14.16.0, and 15.10.0 is vulnerable to DNS rebinding attacks as the whitelist includes “localhost6”.from 0, < 12.21.0~dfsg-1
- from 0, < 10.24.0~dfsg-1~deb10u1
- from 0, < 12.21.0~dfsg-1
- from 0, < 10.21.0~dfsg-1~deb10u1
- from 0, < 10.21.0~dfsg-1
- from 0, < 10.19.0~dfsg-1
- from 0, < 10.19.0~dfsg1-1
- HIGH7.5CVE-2019-9513Some HTTP/2 implementations are vulnerable to resource loops, potentially leading to a denial of service.from 0, < 10.16.3~dfsg-1
- from 0, < 10.16.3~dfsg-1
- HIGH7.5CVE-2019-5739Keep-alive HTTP and HTTPS connections can remain open and inactive for up to 2 minutes in Node.js 6.16.0 and earlier.from 0, < 8.9.3~dfsg-5
- HIGH7.5CVE-2019-5737In Node.js including 6.x before 6.17.0, 8.x before 8.15.1, 10.x before 10.15.2, and 11.x before 11.10.1, an attacker can cause a Denial of…from 0, < 10.15.2~dfsg-1
- HIGH7.5CVE-2018-12122Node.js: All versions prior to Node.js 6.15.0, 8.14.0, 10.14.0 and 11.3.0: Slowloris HTTP Denial of Service: An attacker can cause a Denial…from 0, < 10.15.0~dfsg-6
- HIGH7.5CVE-2018-12121Node.js: All versions prior to Node.js 6.15.0, 8.14.0, 10.14.0 and 11.3.0: Denial of Service with large HTTP headers: By using a combinatio…from 0, < 10.15.0~dfsg-6
- HIGH7.5CVE-2018-12116Node.js: All versions prior to Node.js 6.15.0 and 8.14.0: HTTP request splitting: If Node.js can be convinced to use unsanitized user-provi…from 0, < 10.15.0~dfsg-6
- HIGH7.5CVE-2018-12115In all versions of Node.js prior to 6.14.4, 8.11.4 and 10.9.0 when used with UCS-2 encoding (recognized by Node.js under the names `'ucs2'`…from 0, < 10.15.0~dfsg-6
- HIGH7.5CVE-2018-7167Calling Buffer.fill() or Buffer.alloc() with some parameters can lead to a hang which could result in a Denial of Service.from 0, < 10.15.0~dfsg-6
- HIGH7.5CVE-2018-7164Node.js versions 9.7.0 and later and 10.x are vulnerable and the severity is MEDIUM.from 0, < 10.15.0~dfsg-6
- from 0, < 10.15.0~dfsg-6
- HIGH7.5CVE-2018-7161All versions of Node.js 8.x, 9.x, and 10.x are vulnerable and the severity is HIGH.from 0, < 10.15.0~dfsg-6
- HIGH7.5CVE-2018-7158The `'path'` module in the Node.js 4.x release line contains a potential regular expression denial of service (ReDoS) vector.from 0, < 6.0.0~dfsg-1
- HIGH7.5CVE-2015-7384Node.js 4.0.0, 4.1.0, and 4.1.1 allows remote attackers to cause a denial of service.from 0, < 4.1.1~dfsg-3
- HIGH7.5CVE-2017-11499Node.js v4.0 through v4.8.3, all versions of v5.x, v6.0 through v6.11.0, v7.0 through v7.10.0, and v8.0 through v8.1.3 was susceptible to h…from 0, < 4.8.4~dfsg-1
- HIGH7.5CVE-2016-2216The HTTP header parsing code in Node.js 0.10.x before 0.10.42, 0.11.6 through 0.11.16, 0.12.x before 0.12.10, 4.x before 4.3.0, and 5.x bef…from 0, < 4.3.0~dfsg-1
- HIGH7.5CVE-2016-2086Node.js 0.10.x before 0.10.42, 0.12.x before 0.12.10, 4.x before 4.3.0, and 5.x before 5.6.0 allow remote attackers to conduct HTTP request…from 0, < 4.3.0~dfsg-1
- HIGH7.5CVE-2015-8027Node.js 0.12.x before 0.12.9, 4.x before 4.2.3, and 5.x before 5.1.1 does not ensure the availability of a parser for each HTTP socket, whi…from 0, < 4.2.3~dfsg-1
- HIGH7.5CVE-2025-59464A memory leak in Node.js’s OpenSSL integration occurs when converting `X.509` certificate fields to UTF-8 without freeing the allocated buf…from 0
- from 0, < 18.20.4+dfsg-1~deb12u1
- from 0, < 12.22.12~dfsg-1~deb11u5
- HIGH7.4CVE-2021-44531Accepting arbitrary Subject Alternative Name (SAN) types, unless a PKI is specifically defined to use a particular SAN type, can result in…from 0, < 12.22.12~dfsg-1~deb11u1
- HIGH7.4CVE-2020-8201Node.js < 12.18.4 and < 14.11 can be exploited to perform HTTP desync attacks and deliver malicious payloads to unsuspecting users.from 0, < 12.18.4~dfsg-1
- HIGH7.1CVE-2025-55131A flaw in Node.js's buffer allocation logic can expose uninitialized memory when allocations are interrupted, when using the `vm` module wi…from 0, < 18.20.4+dfsg-1~deb12u2
- from 0, < 12.22.12~dfsg-1~deb11u7
- from 0, < 12.22.12~dfsg-1~deb11u7
- from 0, < 18.20.4+dfsg-1~deb12u1
- MEDIUM6.5CVE-2024-27982The team has identified a critical vulnerability in the http server of the most recent version of Node, where malformed headers can lead to…from 0, < 12.22.12~dfsg-1~deb11u5
- MEDIUM6.5CVE-2024-22025A vulnerability in Node.js has been identified, allowing for a Denial of Service (DoS) attack through resource exhaustion when using the fe…from 0, < 12.22.12~dfsg-1~deb11u5
- MEDIUM6.5CVE-2022-35256The llhttp parser in the http module in Node v18.7.0 does not correctly handle header fields that are not terminated with CLRF.from 0, < 12.22.12~dfsg-1~deb11u3
- MEDIUM6.5CVE-2022-32215The llhttp parser <v14.20.1, <v16.17.1 and <v18.9.1 in the http module in Node.js does not correctly handle multi-line Transfer-Encoding he…from 0, < 12.22.12~dfsg-1~deb11u3
- from 0, < 12.22.12~dfsg-1~deb11u1
- from 0, < 12.22.12~dfsg-1~deb11u1
- from 0, < 12.22.12~dfsg-1~deb11u1
- from 0, < 12.20.1~dfsg-1
- MEDIUM6.1CVE-2016-5325CRLF injection vulnerability in the ServerResponse#writeHead function in Node.js 0.10.x before 0.10.47, 0.12.x before 0.12.16, 4.x before 4…from 0, < 4.6.0~dfsg-1
- MEDIUM5.9CVE-2026-21717A flaw in V8's string hashing mechanism causes integer-like strings to be hashed to their numeric value, making hash collisions trivially p…from 0
- MEDIUM5.9CVE-2026-21713A flaw in Node.js HMAC verification uses a non-constant-time comparison when validating user-provided signatures, potentially leaking timin…from 0, < 18.20.4+dfsg-1~deb12u2
- MEDIUM5.9CVE-2016-7099The tls.checkServerIdentity function in Node.js 0.10.x before 0.10.47, 0.12.x before 0.12.16, 4.x before 4.6.0, and 6.x before 6.7.0 does n…from 0, < 4.6.0~dfsg-1
- MEDIUM5.7CVE-2026-21712A flaw in Node.js URL processing causes an assertion failure in native code when `url.format()` is called with a malformed internationalize…from 0
- MEDIUM5.3CVE-2026-21714A memory leak occurs in Node.js HTTP/2 servers when a client sends WINDOW_UPDATE frames on stream 0 (connection-level) that cause the flow…from 0, < 12.22.12~dfsg-1~deb11u8
- MEDIUM5.3CVE-2025-55132A flaw in Node.js's permission model allows a file's access and modification timestamps to be changed via `futimes()` even when the process…from 0, < 20.19.2+dfsg-1+deb13u1
- from 0, < 12.22.12~dfsg-1~deb11u6
- from 0, < 12.22.12~dfsg-1~deb11u6
- from 0, < 20.19.2+dfsg-1+deb13u1
- MEDIUM5.3CVE-2023-39333Maliciously crafted export names in an imported WebAssembly module can inject JavaScript code.from 0, < 18.19.0+dfsg-6~deb12u1
- MEDIUM5.3CVE-2023-30588When an invalid public key is used to create an x509 certificate using the crypto.X509Certificate() API a non-expect termination occurs mak…from 0, < 18.19.0+dfsg-6~deb12u1
- MEDIUM5.3CVE-2021-44533Node.js < 12.22.9, < 14.18.3, < 16.13.2, and < 17.3.1 did not handle multi-value Relative Distinguished Names correctly.from 0, < 12.22.12~dfsg-1~deb11u1
- MEDIUM5.3CVE-2021-44532Node.js < 12.22.9, < 14.18.3, < 16.13.2, and < 17.3.1 converts SANs (Subject Alternative Names) to a string format.from 0, < 12.22.12~dfsg-1~deb11u1
- MEDIUM5.3CVE-2021-22939If the Node.js https API was used incorrectly and "undefined" was in passed for the "rejectUnauthorized" parameter, no error was returned a…from 0, < 12.22.5~dfsg-2~11u1
- MEDIUM5.3CVE-2018-7159The HTTP parser in all current versions of Node.js ignores spaces in the `Content-Length` header, allowing input such as `Content-Length: 1…from 0, < 8.11.1~dfsg-2
- MEDIUM4.3CVE-2018-12123Node.js: All versions prior to Node.js 6.15.0, 8.14.0, 10.14.0 and 11.3.0: Hostname spoofing in URL parser for javascript protocol: If a No…from 0, < 10.15.0~dfsg-6
- from 0, < 12.22.12~dfsg-1~deb11u4
- from 0, < 12.22.12~dfsg-1~deb11u4
- LOW3.7CVE-2025-23165In Node.js, the `ReadFileUtf8` internal binding leaks memory due to a corrupted pointer in `uv_fs_s.file`: a UTF-16 path buffer is allocate…from 0, < 20.19.2+dfsg-1
- LOW3.3CVE-2026-21716An incomplete fix for CVE-2024-36137 leaves `FileHandle.chmod()` and `FileHandle.chown()` in the promises API without the required permissi…from 0, < 20.19.2+dfsg-1+deb13u2
- LOW3.3CVE-2026-21715A flaw in Node.js Permission Model filesystem enforcement leaves `fs.realpathSync.native()` without the required read permission checks, wh…from 0, < 20.19.2+dfsg-1+deb13u2
- LOW3.3CVE-2024-36137A vulnerability has been identified in Node.js, affecting users of the experimental permission model when the --allow-fs-write flag is used.from 0, < 20.15.1+dfsg-1
- LOW2.9CVE-2024-22018A vulnerability has been identified in Node.js, affecting users of the experimental permission model when the --allow-fs-read flag is used.from 0, < 20.15.1+dfsg-1
- —CVE-2014-5256Node.js 0.8 before 0.8.28 and 0.10 before 0.10.30 does not consider the possibility of recursive processing that triggers V8 garbage collec…from 0, < 0.10.38~dfsg-1
- —CVE-2013-4450The HTTP server in Node.js 0.10.x before 0.10.21 and 0.8.x before 0.8.26 allows remote attackers to cause a denial of service (memory and C…from 0, < 0.10.21~dfsg1-1
- —CVE-2012-2330The Update method in src/node_http_parser.cc in Node.js before 0.6.17 and 0.7 before 0.7.8 does not properly check the length of a string,…from 0, < 0.6.17~dfsg1-1
- from 0