node.js
CVE Severity Distribution (All Time)
Timeline Overview
Recent CVEs
View allDue to the improper handling of batch files in child_process.spawn / child_process.spawnSync, a malicious command line argument can inject arbitrary …
The Permission Model assumes that any path starting with two backslashes \ has a four-character prefix that can be ignored, which is not always true.…
The Elliptic package 6.5.7 for Node.js, in its for ECDSA implementation, does not correctly verify valid signatures if the hash contains at least fou…
Related Security News
Posted by Pete Allor on Jan 28Florian, I think you miss what actually is done and how, with whom / what. Pete
Posted by Florian Weimer on Jan 28* Pete Allor: But is this really how it works these days? For example, if we use a component to render the in-program documentation (traditionally called “online hel…
Posted by Pete Allor on Jan 27Florian, The question is about who is scoring and a level of their knowledge and understanding. Assuming that each is using CVSS v3.1 then the question is does the scori…
Posted by Florian Weimer on Jan 26* Pete Allor: The larger problem is that component scoring tends to be higher than whole-system scoring. If a security component fails in its security function, it c…
Posted by Pete Allor on Jan 25Assigning a CVE for EOL is actually outside the normal practice (there is another standard for that underway) and is not in line with Rule 4.1 as part of the CVE program…