node.js

node

30 Versions 10 CVEs

Versions

Recent CVEs

With the aid of the diagnostics_channel utility, an event can be hooked into whenever a worker thread is created. This is not limited only to workers but also exposes internal workers, where an instance of them can be fetched, and its constructor can be grabbed and reinstated for malicious usage. This vulnerability affects Permission Model users (--permission) on Node.js v20, v22, and v23.

HIGH

CVE-2025-23088

No description available

UNKNOWN

CVE-2025-23083

HIGH

CVE-2025-23089

No description available

UNKNOWN

CVE-2024-37372

The Permission Model assumes that any path starting with two backslashes \ has a four-character prefix that can be ignored, which is not always true. This subtle bug leads to vulnerable edge cases.

LOW Jan 09, 2025

CVE-2024-36138

Bypass incomplete fix of CVE-2024-27980, that arises from improper handling of batch files with all possible extensions on Windows via child_process.spawn / child_process.spawnSync. A malicious command line argument can inject arbitrary commands and achieve code execution even if the shell option is not enabled.

HIGH Sep 07, 2024

CVE-2024-36137

A vulnerability has been identified in Node.js, affecting users of the experimental permission model when the --allow-fs-write flag is used. Node.js Permission Model do not operate on file descriptors, however, operations such as fs.fchown or fs.fchmod can use a "read-only" file descriptor to change the owner and permissions of a file.

LOW Sep 07, 2024

node

Versions

21.7.1

18.20.0

20.12.0

21.7.2

14.21.3

12.22.12

3.3.1

6.17.1

11.15.0

13.14.0

8.17.0

0.12.18

4.9.1

18.20.3

22.4.0

16.20.2

5.12.0

20.15.0

10.24.1

17.9.1

21.7.3

9.11.2

7.10.1

1.8.4

2.13.2

19.9.0

15.14.0

22.13.0

23.6.0

20.18.1