📦

node.js

Vendor: nodejs

Actively Exploited 1 CISA KEV List

PoC / Exploits 22 Code Available

Total RCEs 16 Remote Access

Total CVEs 695 Total Indexed

Avg. EPSS 10.67% Exploit Prob.

Latest CVE CVE-2026-21637 Jan 20

Security Vulnerability Index

Page 15 / 70

9.8 CVSS

CVE-2016-5180

Exploit Found

Heap-based buffer overflow in the ares_create_query function in c-ares 1.x before 1.12.0 allows remote attackers to cause a denial of service (out-of-bounds write) or possibly execute arbitrary code via a hostname with an escaped trailing dot.

EPSS: 18.09%

Severity: CRITICAL

Oct 03, 2016

7.5 CVSS

CVE-2016-7052

crypto/x509/x509_vfy.c in OpenSSL 1.0.2i allows remote attackers to cause a denial of service (NULL pointer dereference and application crash) by triggering a CRL operation.

EPSS: 8.07%

Severity: HIGH

Sep 26, 2016

5.9 CVSS

CVE-2016-6306

The certificate parser in OpenSSL before 1.0.1u and 1.0.2 before 1.0.2i might allow remote attackers to cause a denial of service (out-of-bounds read) via crafted certificate operations, related to s3_clnt.c and s3_srvr.c.

EPSS: 8.87%

Severity: MEDIUM

Sep 26, 2016

7.5 CVSS

CVE-2016-6304

Multiple memory leaks in t1_lib.c in OpenSSL before 1.0.1u, 1.0.2 before 1.0.2i, and 1.1.0 before 1.1.0a allow remote attackers to cause a denial of service (memory consumption) via large OCSP Status Request extensions.

EPSS: 28.08%

Severity: HIGH

Sep 26, 2016

6.5 CVSS

CVE-2016-5172

The parser in Google V8, as used in Google Chrome before 53.0.2785.113, mishandles scopes, which allows remote attackers to obtain sensitive information from arbitrary memory locations via crafted JavaScript code.

EPSS: 1.13%

Severity: MEDIUM

Sep 25, 2016

9.8 CVSS

CVE-2016-6303

Integer overflow in the MDC2_Update function in crypto/mdc2/mdc2dgst.c in OpenSSL before 1.1.0 allows remote attackers to cause a denial of service (out-of-bounds write and application crash) or possibly have unspecified other impact via unknown vectors.

EPSS: 28.82%

Severity: CRITICAL

Sep 16, 2016

7.5 CVSS

CVE-2016-2183

Exploit Found

The DES and Triple DES ciphers, as used in the TLS, SSH, and IPSec protocols and other protocols and products, have a birthday bound of approximately four billion blocks, which makes it easier for remote attackers to obtain cleartext data via a birthday attack against a long-duration encrypted session, as demonstrated by an HTTPS session using Triple DES in CBC mode, aka a "Sweet32" attack.

EPSS: 40.99%

Severity: HIGH

Sep 01, 2016

7.5 CVSS

CVE-2016-3956

The CLI in npm before 2.15.1 and 3.x before 3.8.3, as used in Node.js 0.10 before 0.10.44, 0.12 before 0.12.13, 4 before 4.4.2, and 5 before 5.10.0, includes bearer tokens with arbitrary requests, which allows remote HTTP servers to obtain sensitive information by reading Authorization headers.

EPSS: 3.21%

Severity: HIGH

Jul 02, 2016

5.5 CVSS

CVE-2016-2178

The dsa_sign_setup function in crypto/dsa/dsa_ossl.c in OpenSSL through 1.0.2h does not properly ensure the use of constant-time operations, which makes it easier for local users to discover a DSA private key via a timing side-channel attack.

EPSS: 0.19%

Severity: MEDIUM

Jun 20, 2016

8.8 CVSS

CVE-2016-1669

The Zone::New function in zone.cc in Google V8 before 5.0.71.47, as used in Google Chrome before 50.0.2661.102, does not properly determine when to expand certain memory allocations, which allows remote attackers to cause a denial of service (buffer overflow) or possibly have unspecified other impact via crafted JavaScript code.

EPSS: 1.63%

Severity: HIGH

May 14, 2016

Displaying 10 of 695 Total Entries

13 14 15 16 17 ... 70

Total 70 Sections