pkg:Alpine/nodejs
共 109 筆 CVECRITICAL12HIGH60MEDIUM29LOW8
✅ 檢查你的版本
所有已知漏洞
- from 0, < 14.15.5-r0
- from 0, < 0
- CRITICAL9.8CVE-2023-32002The use of `Module._load()` can bypass the policy mechanism and require modules outside of the policy.json definition for a given module.from 0, < 16.20.2-r0
- from 0, < 18.12.1-r0
- from 0, < 12.22.4-r0
- CRITICAL9.8CVE-2021-22931Node.js before 16.6.0, 14.17.4, and 12.22.4 is vulnerable to Remote Code Execution, XSS, Application crashes due to missing input validatio…from 0, < 12.22.5-r0
- CRITICAL9.8CVE-2019-15606Including trailing white space in HTTP header values in Nodejs 10, 12, and 13 causes bypass of authorization based on header value comparis…from 0, < 10.19.0-r0
- CRITICAL9.8CVE-2019-15605HTTP request smuggling in Node.js 10, 12, and 13 causes malicious payload delivery when transfer-encoding is malformedfrom 0, < 10.19.0-r0
- from 0, < 6.8.0-r0
- CRITICAL9.1CVE-2025-55130A flaw in Node.js’s Permissions model allows attackers to bypass `--allow-fs-read` and `--allow-fs-write` restrictions using crafted relati…from 0, < 22.22.2-r0
- CRITICAL9.1CVE-2022-35255A weak randomness in WebCrypto keygen vulnerability exists in Node.js 18 due to a change with EntropySource() in SecretKeyGenTraits::DoKeyG…from 0, < 16.17.1-r0
- CRITICAL9.1CVE-2022-32213llhttp allows HTTP Request Smuggling via Flawed Parsing of Transfer-Encodingfrom 0, < 14.20.1-r0
- CRITICAL9.1CVE-2022-32214llhttp allows HTTP Request Smuggling via Improper Delimiting of Header Fieldsfrom 0, < 14.20.1-r0
- CRITICAL9.1CVE-2017-15896Node.js was affected by OpenSSL vulnerability CVE-2017-3737 in regards to the use of SSL_read() due to TLS handshake failure.from 0, < 8.9.3-r0
- HIGH8.8CVE-2023-32006The use of `module.constructor.createRequire()` can bypass the policy mechanism and require modules outside of the policy.json definition f…from 0, < 16.20.2-r0
- HIGH8.8CVE-2018-7160The Node.js inspector, in 6.x and later is vulnerable to a DNS rebinding attack which could be exploited to perform remote code execution.from 0, < 8.11.0-r0
- HIGH8.8CVE-2016-5129Google V8 before 5.2.361.32, as used in Google Chrome before 52.0.2743.82, does not properly process left-trimmed objects, which allows rem…from 0, < 6.10.0-r0
- HIGH8.2CVE-2024-27983An attacker can make the Node.js HTTP/2 server completely unavailable by sending a small amount of HTTP/2 frames packets with a few HTTP/2…from 0, < 18.20.1-r0
- HIGH8.2CVE-2022-21824Due to the formatting logic of the "console.table()" function it was not safe to allow user controlled input to be passed to the "propertie…from 0, < 12.22.10-r0
- HIGH8.2CVE-2021-37701Arbitrary File Creation/Overwrite via insufficient symlink protection due to directory cache poisoning using symbolic linksfrom 0, < 12.22.6-r0
- HIGH8.2CVE-2021-37712Arbitrary File Creation/Overwrite via insufficient symlink protection due to directory cache poisoning using symbolic linksfrom 0, < 12.22.6-r0
- HIGH8.2CVE-2021-37713Arbitrary File Creation/Overwrite on Windows via insufficient relative path sanitizationfrom 0, < 12.22.6-r0
- from 0, < 12.22.6-r0
- from 0, < 12.22.6-r0
- HIGH8.1CVE-2024-36138Bypass incomplete fix of CVE-2024-27980, that arises from improper handling of batch files with all possible extensions on Windows via chil…from 0, < 0
- from 0, < 18.12.1-r0
- from 0, < 0
- from 0, < 12.20.1-r0
- HIGH8.1CVE-2020-8174napi_get_value_string_*() allows various kinds of memory corruption in node < 10.21.0, 12.18.0, and < 14.4.0.from 0, < 12.20.1-r0
- HIGH7.8CVE-2020-8252The implementation of realpath in libuv < 10.22.1, < 12.18.4, and < 14.9.0 used within Node.js incorrectly determined the buffer size which…from 0, < 12.20.1-r0
- HIGH7.7CVE-2025-23083With the aid of the diagnostics_channel utility, an event can be hooked into whenever a worker thread is created.from 0, < 22.13.1-r0
- HIGH7.5CVE-2026-21710A flaw in Node.js HTTP request handling causes an uncaught `TypeError` when a request is received with a header named `__proto__` and the a…from 0, < 22.22.2-r0
- from 0, < 22.22.2-r0
- HIGH7.5CVE-2025-59466We have identified a bug in Node.js error handling where "Maximum call stack size exceeded" errors become uncatchable when `async_hooks.cre…from 0, < 22.22.2-r0
- HIGH7.5CVE-2025-59465A malformed `HTTP/2 HEADERS` frame with oversized, invalid `HPACK` data can cause Node.js to crash by triggering an unhandled `TLSSocket` e…from 0, < 22.22.2-r0
- HIGH7.5CVE-2025-23166The C++ method SignTraits::DeriveBits() may incorrectly call ThrowException() based on user-supplied inputs when executing in a background…from 0, < 22.15.1-r0
- from 0, < 10.16.3-r0
- HIGH7.5CVE-2023-38552When the Node.js policy feature checks the integrity of a resource against a trusted manifest, the application can intercept the operation…from 0, < 18.18.2-r0
- HIGH7.5CVE-2023-32559A privilege escalation vulnerability exists in the experimental policy mechanism in all active release lines: 16.x, 18.x and, 20.x.from 0, < 16.20.2-r0
- HIGH7.5CVE-2023-23919A cryptographic vulnerability exists in Node.js <19.2.0, <18.14.1, <16.19.1, <14.21.3 that in some cases did does not clear the OpenSSL err…from 0, < 16.19.1-r0
- from 0, < 14.21.3-r0
- from 0, < 16.19.1-r0
- from 0, < 18.12.1-r0
- from 0, < 10.16.3-r0
- from 0, < 0
- from 0, < 14.16.1-r1
- HIGH7.5CVE-2021-22884Node.js before 10.24.0, 12.21.0, 14.16.0, and 15.10.0 is vulnerable to DNS rebinding attacks as the whitelist includes “localhost6”.from 0, < 12.21.0-r0
- from 0, < 12.21.0-r0
- HIGH7.5CVE-2020-8277A Node.js application that allows an attacker to trigger a DNS request for a host of their choice could trigger a Denial of Service in vers…from 0, < 12.20.1-r0
- from 0, < 12.20.1-r0
- from 0, < 10.19.0-r0
- HIGH7.5CVE-2019-9518Some HTTP/2 implementations are vulnerable to a flood of empty frames, potentially leading to a denial of service.from 0, < 10.16.3-r0
- HIGH7.5CVE-2019-9517Some HTTP/2 implementations are vulnerable to unconstrained interal data buffering, potentially leading to a denial of service.from 0, < 10.16.3-r0
- HIGH7.5CVE-2019-9515Some HTTP/2 implementations are vulnerable to a settings flood, potentially leading to a denial of service.from 0, < 10.16.3-r0
- HIGH7.5CVE-2019-9513Some HTTP/2 implementations are vulnerable to resource loops, potentially leading to a denial of service.from 0, < 10.16.3-r0
- from 0, < 10.16.3-r0
- HIGH7.5CVE-2019-5737In Node.js including 6.x before 6.17.0, 8.x before 8.15.1, 10.x before 10.15.2, and 11.x before 11.10.1, an attacker can cause a Denial of…from 0, < 10.15.3-r0
- HIGH7.5CVE-2018-12122Node.js: All versions prior to Node.js 6.15.0, 8.14.0, 10.14.0 and 11.3.0: Slowloris HTTP Denial of Service: An attacker can cause a Denial…from 0, < 10.14.0-r0
- HIGH7.5CVE-2018-12121Node.js: All versions prior to Node.js 6.15.0, 8.14.0, 10.14.0 and 11.3.0: Denial of Service with large HTTP headers: By using a combinatio…from 0, < 10.14.0-r0
- HIGH7.5CVE-2018-12116Node.js: All versions prior to Node.js 6.15.0 and 8.14.0: HTTP request splitting: If Node.js can be convinced to use unsanitized user-provi…from 0, < 8.14.0-r0
- HIGH7.5CVE-2018-12115In all versions of Node.js prior to 6.14.4, 8.11.4 and 10.9.0 when used with UCS-2 encoding (recognized by Node.js under the names `'ucs2'`…from 0, < 8.11.4-r0
- HIGH7.5CVE-2018-7167Calling Buffer.fill() or Buffer.alloc() with some parameters can lead to a hang which could result in a Denial of Service.from 0, < 8.11.3-r0
- HIGH7.5CVE-2018-7161All versions of Node.js 8.x, 9.x, and 10.x are vulnerable and the severity is HIGH.from 0, < 8.11.3-r0
- HIGH7.5CVE-2018-7158The `'path'` module in the Node.js 4.x release line contains a potential regular expression denial of service (ReDoS) vector.from 0, < 8.11.0-r0
- from 0, < 8.11.3-r0
- HIGH7.5CVE-2017-14919Node.js before 4.8.5, 6.x before 6.11.5, and 8.x before 8.8.0 allows remote attackers to cause a denial of service (uncaught exception and…from 0, < 6.11.5-r0
- from 0, < 6.11.1-r0
- HIGH7.4CVE-2021-44531Accepting arbitrary Subject Alternative Name (SAN) types, unless a PKI is specifically defined to use a particular SAN type, can result in…from 0, < 12.22.10-r0
- HIGH7.4CVE-2020-8201Node.js < 12.18.4 and < 14.11 can be exploited to perform HTTP desync attacks and deliver malicious payloads to unsuspecting users.from 0, < 12.20.1-r0
- HIGH7.4CVE-2020-8172TLS session reuse can lead to host certificate verification bypass in node version < 12.18.0 and < 14.4.0.from 0, < 12.20.1-r0
- HIGH7.3CVE-2022-32223Node.js is vulnerable to Hijack Execution Flow: DLL Hijacking under certain conditions on Windows platforms.This vulnerability can be explo…from 0, < 0
- from 0, < 10.24.1-r0
- HIGH7.1CVE-2025-55131A flaw in Node.js's buffer allocation logic can expose uninitialized memory when allocations are interrupted, when using the `vm` module wi…from 0, < 22.22.2-r0
- from 0, < 22.13.1-r0
- from 0, < 20.15.1-r0
- MEDIUM6.5CVE-2024-27982The team has identified a critical vulnerability in the http server of the most recent version of Node, where malformed headers can lead to…from 0, < 18.20.1-r0
- MEDIUM6.5CVE-2022-35256The llhttp parser in the http module in Node v18.7.0 does not correctly handle header fields that are not terminated with CLRF.from 0, < 14.20.1-r0
- MEDIUM6.5CVE-2022-32215The llhttp parser <v14.20.1, <v16.17.1 and <v18.9.1 in the http module in Node.js does not correctly handle multi-line Transfer-Encoding he…from 0, < 14.20.1-r0
- from 0, < 12.22.10-r0
- from 0, < 12.22.10-r0
- from 0, < 12.20.1-r0
- MEDIUM6.5CVE-2019-9516Some HTTP/2 implementations are vulnerable to a header leak, potentially leading to a denial of service.from 0, < 10.16.3-r0
- MEDIUM5.9CVE-2026-21717A flaw in V8's string hashing mechanism causes integer-like strings to be hashed to their numeric value, making hash collisions trivially p…from 0, < 22.22.2-r0
- MEDIUM5.9CVE-2026-21713A flaw in Node.js HMAC verification uses a non-constant-time comparison when validating user-provided signatures, potentially leaking timin…from 0, < 22.22.2-r0
- MEDIUM5.9CVE-2018-0734The OpenSSL DSA signature algorithm has been shown to be vulnerable to a timing side channel attack.from 0, < 10.14.0-r0
- from 0, < 10.14.0-r0
- MEDIUM5.7CVE-2026-21712A flaw in Node.js URL processing causes an assertion failure in native code when `url.format()` is called with a malformed internationalize…from 0, < 24.14.1-r0
- from 0, < 12.22.5-r0
- MEDIUM5.5CVE-2025-23084A vulnerability has been identified in Node.js, specifically affecting the handling of drive names in the Windows environment.from 0, < 22.13.1-r0
- MEDIUM5.3CVE-2026-21714A memory leak occurs in Node.js HTTP/2 servers when a client sends WINDOW_UPDATE frames on stream 0 (connection-level) that cause the flow…from 0, < 22.22.2-r0
- MEDIUM5.3CVE-2025-55132A flaw in Node.js's permission model allows a file's access and modification timestamps to be changed via `futimes()` even when the process…from 0, < 22.22.2-r0
- from 0, < 22.13.1-r0
- MEDIUM5.3CVE-2023-39333Maliciously crafted export names in an imported WebAssembly module can inject JavaScript code.from 0, < 18.18.2-r0
- MEDIUM5.3CVE-2021-44533Node.js < 12.22.9, < 14.18.3, < 16.13.2, and < 17.3.1 did not handle multi-value Relative Distinguished Names correctly.from 0, < 12.22.10-r0
- MEDIUM5.3CVE-2021-44532Node.js < 12.22.9, < 14.18.3, < 16.13.2, and < 17.3.1 converts SANs (Subject Alternative Names) to a string format.from 0, < 12.22.10-r0
- MEDIUM5.3CVE-2021-22939If the Node.js https API was used incorrectly and "undefined" was in passed for the "rejectUnauthorized" parameter, no error was returned a…from 0, < 12.22.5-r0
- from 0, < 12.22.2-r0
- MEDIUM5.3CVE-2018-7159The HTTP parser in all current versions of Node.js ignores spaces in the `Content-Length` header, allowing input such as `Content-Length: 1…from 0, < 8.11.0-r0
- from 0, < 16.19.1-r0
- MEDIUM4.3CVE-2018-12123Node.js: All versions prior to Node.js 6.15.0, 8.14.0, 10.14.0 and 11.3.0: Hostname spoofing in URL parser for javascript protocol: If a No…from 0, < 10.14.0-r0
- from 0, < 14.21.3-r0
- from 0, < 18.18.2-r0
- LOW3.7CVE-2025-23165In Node.js, the `ReadFileUtf8` internal binding leaks memory due to a corrupted pointer in `uv_fs_s.file`: a UTF-16 path buffer is allocate…from 0, < 22.15.1-r0
- LOW3.6CVE-2024-37372The Permission Model assumes that any path starting with two backslashes \ has a four-character prefix that can be ignored, which is not al…from 0, < 0
- LOW3.3CVE-2026-21716An incomplete fix for CVE-2024-36137 leaves `FileHandle.chmod()` and `FileHandle.chown()` in the promises API without the required permissi…from 0, < 22.22.2-r0
- LOW3.3CVE-2026-21715A flaw in Node.js Permission Model filesystem enforcement leaves `fs.realpathSync.native()` without the required read permission checks, wh…from 0, < 22.22.2-r0
- LOW3.3CVE-2024-36137A vulnerability has been identified in Node.js, affecting users of the experimental permission model when the --allow-fs-write flag is used.from 0, < 20.15.1-r0
- LOW3.1CVE-2017-15897Node.js had a bug in versions 8.X and 9.X which caused buffers to not be initialized when the encoding for the fill value did not match the…from 0, < 8.9.3-r0
- LOW2.9CVE-2024-22018A vulnerability has been identified in Node.js, affecting users of the experimental permission model when the --allow-fs-read flag is used.from 0, < 20.15.1-r0