Loading HuntDB...

Vulnerability Intelligence by wss.sh

Home Daily Briefings High Impact CVEs Recent Exploits KEV Catalog GitHub Advisories Latest Updates Security News

More Sources

HackerOne Reports

Bug bounty disclosures

WordPress Vulnerabilities

WordPress plugins & themes

Tools & Data

Trending Insights

Popular vulnerabilities

Advanced Search

Filter & search CVEs

Product Inventory

Software & vendors

Sign In Sign Up

Node.js - HackerOne Reports

View on HackerOne

113

Total Reports

8

Critical

37

High

44

Medium

15

Low

Windows Device Names Still Allow Path Traversal in UNC Paths After CVE-2025-27210 Fix

Reported by: oblivionsage | Disclosed:

High

Weakness: Path Traversal

CVEs: CVE-2025-27210

registry.nodejs.org Subdomain Takeover

Reported by: dade | Disclosed:

Weakness: Man-in-the-Middle

Undici does not use CONNECT or otherwise validate upstream HTTPS certificates when using a proxy

Reported by: pimterry | Disclosed:

High

Weakness: Improper Certificate Validation

setuid() does not drop all privileges due to io_uring

Reported by: valette | Disclosed:

High

Weakness: Privilege Escalation

Path traversal through path stored in Uint8Array

Reported by: tniessen | Disclosed:

High

Weakness: Path Traversal

Node.js Certificate Verification Bypass via String Injection

Reported by: bengl | Disclosed:

Medium

Weakness: Improper Following of a Certificate's Chain of Trust

CVEs: CVE-2021-3712

Process-based permissions can be bypassed with the "inspector" module.

Reported by: mattaustin | Disclosed:

High

Weakness: Improper Access Control - Generic

Multiple permission model bypasses due to improper path traversal sequence sanitization

Reported by: xion | Disclosed:

High

Weakness: Path Traversal

Path traversal by drive name in Windows environment

Reported by: taise | Disclosed:

Medium

Weakness: Path Traversal

HTTP Request Smuggling via Empty headers separated by CR

Reported by: yadhukrishnam | Disclosed:

Medium

Weakness: HTTP Request Smuggling

Hostname spoofing

Reported by: tosh | Disclosed:

Child process environment injection via prototype pollution

Reported by: coreyfarrell | Disclosed:

Weakness: Code Injection

WASI sandbox escape via symlink

Reported by: jessewilson | Disclosed:

Medium

Weakness: Privilege Escalation

Windows Device Names (CON, PRN, AUX) Bypass Path Traversal Protection in path.normalize()

Reported by: oblivionsage | Disclosed:

High

Weakness: Path Traversal

HTTP Request Smuggling Due to Incorrect Parsing of Header Fields

Reported by: vvx7 | Disclosed:

Medium

Weakness: HTTP Request Smuggling

DNS rebinding in --inspect (insufficient fix of CVE-2022-32212 affecting macOS devices)

Reported by: zeyu2001 | Disclosed:

High

Weakness: Improper Access Control - Generic

CVEs: CVE-2022-32212 CVE-2018-7160

Denial of Service by resource exhaustion CWE-400 due to unfinished HTTP/1.1 requests

Reported by: shogunpanda | Disclosed:

Critical

Weakness: Uncontrolled Resource Consumption

Bounty: $250.00

Http request splitting

Reported by: arkadiyt | Disclosed:

Medium

Weakness: HTTP Response Splitting

HTTP Request Smuggling due to accepting space before colon

Reported by: mkg | Disclosed:

Medium

Weakness: HTTP Request Smuggling

Bounty: $250.00

Potential HTTP Request Smuggling in nodejs

Reported by: piao | Disclosed:

Low

Weakness: HTTP Request Smuggling

Bounty: $250.00

Previous Page 2 of 6 Next