Loading HuntDB...

Vulnerability Intelligence by wss.sh

Home Daily Briefings High Impact CVEs Recent Exploits KEV Catalog GitHub Advisories Latest Updates Security News

More Sources

HackerOne Reports

Bug bounty disclosures

WordPress Vulnerabilities

WordPress plugins & themes

Tools & Data

Trending Insights

Popular vulnerabilities

Advanced Search

Filter & search CVEs

Product Inventory

Software & vendors

Sign In Sign Up

Node.js - HackerOne Reports

View on HackerOne

113

Total Reports

8

Critical

37

High

44

Medium

15

Low

Path traversal by monkey-patching Buffer internals

Reported by: tniessen | Disclosed:

High

Weakness: Path Traversal

fs.mkdtemp() and fs.mkdtempSync() are missing getValidatedPath() checks.

Reported by: haxatron1 | Disclosed:

Low

Weakness: Path Traversal

fs.openAsBlob() bypasses permission system

Reported by: cjihrig | Disclosed:

Medium

Weakness: Improper Access Control - Generic

fs module's file watching is not restricted by --allow-fs-read

Reported by: cjihrig | Disclosed:

Medium

Weakness: Improper Access Control - Generic

fs.fchown/fchmod bypasses permission model

Reported by: 4xpl0r3r | Disclosed:

Low

Weakness: Improper Access Control - Generic

Permissions can be bypassed via arbitrary code execution through abusing libuv signal pipes

Reported by: xion | Disclosed:

Weakness: Privilege Escalation

Proxy-Authorization header is not cleared in cross-domain redirect in undici

Reported by: timon8 | Disclosed:

Low

Weakness: Information Disclosure

Built-in TLS module unexpectedly treats "rejectUnauthorized: undefined" as "rejectUnauthorized: false", disabling all certificate validation

Reported by: pimterry | Disclosed:

Low

Weakness: Improper Certificate Validation

Bounty: $150.00

HTTP Request Smuggling Due to Incorrect Parsing of Multi-line Transfer-Encoding (improper fix for CVE-2022-32215)

Reported by: shacharm | Disclosed:

Medium

Weakness: HTTP Request Smuggling

CVEs: CVE-2022-32215

Your page has 2 blocking CSS resources. This causes a delay in rendering your page.

Reported by: joy261 | Disclosed:

Critical

Weakness: Array Index Underflow

fetch with integrity option is too lax when algorithm is specified but hash value is in incorrect

Reported by: uzlopak | Disclosed:

Weakness: Violation of Secure Design Principles

Dependency Policy Bypass via process.binding

Reported by: leodog896 | Disclosed:

Medium

Weakness: Privilege Escalation

Usage of unsafe random function in undici for choosing boundary

Reported by: parrot409 | Disclosed:

Medium

Weakness: Use of Insufficiently Random Values

Renaming/aliasing relative symbolic links potentially redirects them to supposedly inaccessible locations

Reported by: tniessen | Disclosed:

Medium

Weakness: Privilege Escalation

napi_get_value_string_X allow various kinds of memory corruption

Reported by: tniessen | Disclosed:

High

Weakness: Memory Corruption - Generic

Bounty: $250.00

fs.lstat bypasses permission model

Reported by: haxatron1 | Disclosed:

Low

Weakness: Privilege Escalation

Improper handling of untypical characters in domain names

Reported by: philippjeitner | Disclosed:

High

Weakness: Improper Null Termination

HashDoS in V8

Reported by: sharp_edged | Disclosed:

High

Weakness: Cryptographic Issues - Generic

Improper HTTP header block termination in llhttp

Reported by: kenballus | Disclosed:

Medium

Weakness: HTTP Request Smuggling

Potential HTTP Request Smuggling in nodejs

Reported by: piao | Disclosed:

Low

Weakness: HTTP Request Smuggling

Bounty: $250.00

Page 1 of 6 Next