CVE Tools

nodejs

OSS LibrariesUSoss-project

162

Cumulative CVEs

43

Monthly snapshots

#31

Peak rank

Top products

Latest CVEs

The 15 most recently published vulnerabilities affecting nodejs.

CVE-2026-48931A flaw in Node.js HTTP Agent can cause a client to accept as valid a response that is send before the client has sent the request. This vulnerability affects all supported release lines: **Node....3.7Jun 22, 2026
CVE-2026-48937A flaw in Node.js HTTP/2 server API can cause servers to keep accepting data even after sending a `GOAWAY` frame. This vulnerability affects two supported release lines: **Node.js 22** and **Node.j...5.3Jun 18, 2026
CVE-2026-48617A flaw in Node.js Permission Model enforcement allows Bypass via `process.report.writeReport()` Path Misvalidation. This can lead to confidentiality impact or bypass of the intended security bounda...1.8Jun 18, 2026
CVE-2026-21717A flaw in V8's string hashing mechanism causes integer-like strings to be hashed to their numeric value, making hash collisions trivially predictable. By crafting a request that causes many such co...5.9Mar 30, 2026
CVE-2026-21716An incomplete fix for CVE-2024-36137 leaves `FileHandle.chmod()` and `FileHandle.chown()` in the promises API without the required permission checks, while their callback-based equivalents (`fs.fch...3.3Mar 30, 2026
CVE-2026-21715A flaw in Node.js Permission Model filesystem enforcement leaves `fs.realpathSync.native()` without the required read permission checks, while all comparable filesystem functions correctly enforce ...3.3Mar 30, 2026
CVE-2026-21714A memory leak occurs in Node.js HTTP/2 servers when a client sends WINDOW_UPDATE frames on stream 0 (connection-level) that cause the flow control window to exceed the maximum value of 2³¹-1. The...5.3Mar 30, 2026
CVE-2026-21713A flaw in Node.js HMAC verification uses a non-constant-time comparison when validating user-provided signatures, potentially leaking timing information proportional to the number of matching bytes...5.9Mar 30, 2026
CVE-2026-21711A flaw in Node.js Permission Model network enforcement leaves Unix Domain Socket (UDS) server operations without the required permission checks, while all comparable network paths correctly enforce...5.3Mar 30, 2026
CVE-2026-21710A flaw in Node.js HTTP request handling causes an uncaught `TypeError` when a request is received with a header named `__proto__` and the application accesses `req.headersDistinct`. When this oc...7.5Mar 30, 2026
CVE-2026-21712A flaw in Node.js URL processing causes an assertion failure in native code when `url.format()` is called with a malformed internationalized domain name (IDN) containing invalid characters, crashin...5.7Mar 30, 2026
CVE-2026-2229undici is vulnerable to Unhandled Exception in undici WebSocket Client Due to Invalid server_max_window_bits Validation7.5Mar 12, 2026
CVE-2026-1528undici is vulnerable to Malicious WebSocket 64-bit length overflows undici parser and crashes the client7.5Mar 12, 2026
CVE-2026-1527undici is vulnerable to CRLF Injection via upgrade option4.6Mar 12, 2026
CVE-2026-2581undici is vulnerable to Unbounded Memory Consumption in in Undici's DeduplicationHandler via Response Buffering leads to DoS5.9Mar 12, 2026