Loading HuntDB...

Vulnerability Intelligence by wss.sh

Home Daily Briefings High Impact CVEs Recent Exploits KEV Catalog GitHub Advisories Latest Updates Security News

More Sources

HackerOne Reports

Bug bounty disclosures

WordPress Vulnerabilities

WordPress plugins & themes

Tools & Data

Trending Insights

Popular vulnerabilities

Advanced Search

Filter & search CVEs

Product Inventory

Software & vendors

Sign In Sign Up

Node.js - HackerOne Reports

View on HackerOne

113

Total Reports

8

Critical

37

High

44

Medium

15

Low

Fix for CVE-2018-12122 can be bypassed via keep-alive requests

Reported by: mpracucci | Disclosed:

Medium

Weakness: Uncontrolled Resource Consumption

CVEs: CVE-2018-12122

Filesystem experimental permissions policy does not handle path traversal cases.

Reported by: haxatron1 | Disclosed:

High

Weakness: Path Traversal

Vulnerability in http-parser & embedded NULL header handling

Reported by: htuch | Disclosed:

High

Weakness: Improper Null Termination

CVEs: CVE-2019-9900

CWE-195 in ExternalMemoryAccounter::Increase()

Reported by: codingthunder | Disclosed:

Node 18 reads openssl.cnf from /home/iojs/build/... upon startup.

Reported by: msvrmiscovet | Disclosed:

Medium

Weakness: Cryptographic Issues - Generic

Permissions policies can be bypassed via process.mainModule

Reported by: goums | Disclosed:

High

Weakness: Privilege Escalation

OpenSSL engines can be used to bypass and/or disable the permission model

Reported by: tniessen | Disclosed:

Medium

Weakness: Privilege Escalation

Malformed HTTP/2 SETTINGS frame leads to reachable assert

Reported by: jzebor | Disclosed:

Critical

Weakness: Uncontrolled Resource Consumption

Bounty: $250.00

Http response is not ended although underlying socket is already destroyed

Reported by: verdaster | Disclosed:

Weakness: Uncontrolled Resource Consumption

Permission model bypass by specifying a path traversal sequence in a buffer,

Reported by: haxatron1 | Disclosed:

High

Weakness: Path Traversal

DiffieHellman doesn't generate keys after setting a key

Reported by: bensmyth | Disclosed:

Medium

Weakness: Inconsistency Between Implementation and Documented Design

CVE-2022-32213 bypass via obs-fold mechanic

Reported by: haxatron1 | Disclosed:

Medium

Weakness: HTTP Request Smuggling

CVEs: CVE-2022-32213

Slowloris, body parsing

Reported by: underflow0 | Disclosed:

Low

Weakness: Uncontrolled Resource Consumption

Bounty: $250.00

HTTP Request Smuggling Due to Incorrect Parsing of Multi-line Transfer-Encoding

Reported by: zeyu2001 | Disclosed:

Medium

Weakness: HTTP Request Smuggling

CRLF Injection in Nodejs ‘undici’ via host

Reported by: timon8 | Disclosed:

Medium

Weakness: CRLF Injection

fs.statfs bypasses Permission Model

Reported by: rafaelgss | Disclosed:

Low

Weakness: Improper Access Control - Generic

process.binding() can bypass the permission model through path traversal

Reported by: rafaelgss | Disclosed:

High

Weakness: Path Traversal

HTTP request smuggling using malformed Transfer-Encoding header

Reported by: erubinson | Disclosed:

Critical

Weakness: HTTP Request Smuggling

Insecure loading of ICU data through ICU_DATA environment variable

Reported by: bnoordhuis | Disclosed:

Low

The use of proto in process.mainModule.proto.require() bypasses the permission system in Node v19.6.1

Reported by: haxatron1 | Disclosed:

High

Weakness: Privilege Escalation

Previous Page 4 of 6 Next