Top reports from Node.js program at HackerOne:
- HTTP Request Smuggling due to CR-to-Hyphen conversion to Node.js - 132 upvotes, $0
- HTTP request smuggling using malformed Transfer-Encoding header to Node.js - 103 upvotes, $0
- "Assertion failed" in node::http2::Http2Session::~Http2Session() leads to HTTP/2 server crash to Node.js - 65 upvotes, $0
- Http request splitting to Node.js - 44 upvotes, $0
- registry.nodejs.org Subdomain Takeover to Node.js - 35 upvotes, $0
- Path traversal by monkey-patching Buffer internals to Node.js - 34 upvotes, $0
- Potential HTTP Request Smuggling in nodejs to Node.js - 31 upvotes, $250
- Permission model improperly processes UNC paths to Node.js - 30 upvotes, $0
- Node.js: TLS session reuse can lead to hostname verification bypass to Node.js - 28 upvotes, $0
- Node.js: use-after-free in TLSWrap to Node.js - 27 upvotes, $0
- Denial of Service by resource exhaustion in fetch() brotli decoding to Node.js - 27 upvotes, $0
- setuid() does not drop all privileges due to io_uring to Node.js - 23 upvotes, $0
- Take over subdomain undici.nodejs.org.cdn.cloudflare.net to Node.js - 22 upvotes, $0
- Built-in TLS module unexpectedly treats "rejectUnauthorized: undefined" as "rejectUnauthorized: false", disabling all certificate validation to Node.js - 20 upvotes, $150
- Code injection and privilege escalation through Linux capabilities to Node.js - 20 upvotes, $0
- Bypass incomplete fix of CVE-2024-27980 to Node.js - 20 upvotes, $0
- HTTP Request Smuggling due to accepting space before colon to Node.js - 18 upvotes, $250
- Improper handling of wildcards in --allow-fs-read and --allow-fs-write to Node.js - 18 upvotes, $0
- Permissions can be bypassed via arbitrary code execution through abusing libuv signal pipes to Node.js - 18 upvotes, $0
- Multiple permission model bypasses due to improper path traversal sequence sanitization to Node.js - 17 upvotes, $0
- Proxy-Authorization header is not cleared in cross-domain redirect in undici to Node.js - 16 upvotes, $0
- HTTP Request Smuggling via Content Length Obfuscation to Node.js - 16 upvotes, $0
- Remotely trigger an assertion on a TLS server with a malformed certificate string to Node.js - 15 upvotes, $0
- Node.js is vulnerable to the Marvin Attack (timing variant of the Bleichenbacher attack against PKCS#1 v1.5 padding) to Node.js - 15 upvotes, $0
- Bypass network import restriction via data URL to Node.js - 15 upvotes, $0
- fs.fchown/fchmod bypasses permission model to Node.js - 15 upvotes, $0
- fs.lstat bypasses permission model to Node.js - 15 upvotes, $0
- Prototype pollution via console.table properties to Node.js - 14 upvotes, $0
- Malformed HTTP/2 SETTINGS frame leads to reachable assert to Node.js - 13 upvotes, $250
- http: Reading unprocessed HTTP request with unbounded chunk extension allows DoS attacks to Node.js - 13 upvotes, $0
- Off-by-slash vulnerability in nodejs.org and iojs.org to Node.js - 12 upvotes, $0
- url.parse() hostname spoofing via javascript: URIs to Node.js - 11 upvotes, $0
- HTTP header values do not have trailing OWS trimmed to Node.js - 11 upvotes, $0
- DNS rebinding in --inspect (insufficient fix of CVE-2022-32212 affecting macOS devices) to Node.js - 11 upvotes, $0
- Weak randomness in WebCrypto keygen to Node.js - 11 upvotes, $0
- CRLF Injection in Nodejs ‘undici’ via host to Node.js - 11 upvotes, $0
- fetch with integrity option is too lax when algorithm is specified but hash value is in incorrect to Node.js - 10 upvotes, $0
- Multiple HTTP/2 DOS Issues to Node.js - 9 upvotes, $0
- Node Installer Local Privilege Escalation to Node.js - 9 upvotes, $0
- Denial of Service by resource exhaustion CWE-400 due to unfinished HTTP/1.1 requests to Node.js - 8 upvotes, $250
- Slowloris, body parsing to Node.js - 8 upvotes, $250
- Your page has 2 blocking CSS resources. This causes a delay in rendering your page. to Node.js - 8 upvotes, $0
- Proxy-Authorization header not cleared on cross-origin redirect in undici.request to Node.js - 8 upvotes, $0
- napi_get_value_string_X allow various kinds of memory corruption to Node.js - 7 upvotes, $250
- HTTP Request Smuggling Due To Improper Delimiting of Header Fields to Node.js - 7 upvotes, $0
- HTTP Request Smuggling via Empty headers separated by CR to Node.js - 7 upvotes, $0
- DiffieHellman doesn't generate keys after setting a key to Node.js - 7 upvotes, $0
- The use of proto in process.mainModule.proto.require() bypasses the permission system in Node v19.6.1 to Node.js - 7 upvotes, $0
- HTTP/2 Denial of Service Vulnerability to Node.js - 6 upvotes, $0
- HTTP Request Smuggling Due to Incorrect Parsing of Multi-line Transfer-Encoding (improper fix for CVE-2022-32215) to Node.js - 6 upvotes, $0
- HTTP Request Smuggling Due to Incorrect Parsing of Header Fields to Node.js - 6 upvotes, $0
- Permissions policies can be bypassed via process.mainModule to Node.js - 6 upvotes, $0
- DNS rebinding in --inspect (insufficient fix of CVE-2018-7160) to Node.js - 5 upvotes, $500
- HTTP Request Smuggling due to ignoring chunk extensions to Node.js - 5 upvotes, $250
- Pull Request #12949 - Security Implications without CVE assignment to Node.js - 5 upvotes, $0
- OOB read in libuv to Node.js - 5 upvotes, $0
- HTTP Request Smuggling Due to Incorrect Parsing of Multi-line Transfer-Encoding to Node.js - 5 upvotes, $0
- HTTP Request Smuggling Due to Flawed Parsing of Transfer-Encoding to Node.js - 5 upvotes, $0
- CVE-2022-32213 bypass via obs-fold mechanic to Node.js - 5 upvotes, $0
- Multiple OpenSSL error handling issues in nodejs crypto library to Node.js - 5 upvotes, $0
- Filesystem experimental permissions policy does not handle path traversal cases. to Node.js - 5 upvotes, $0
- Denial of Service: nghttp2 use of uninitialized pointer to Node.js - 4 upvotes, $0
fs.realpath.nativeon darwin may cause buffer overflow to Node.js - 4 upvotes, $0- Unexpected input validation of octal literals in nodejs v15.12.0 and below returns defined values for all undefined octal literals. to Node.js - 4 upvotes, $0
- Improper handling of untypical characters in domain names to Node.js - 4 upvotes, $0
- Undici does not use CONNECT or otherwise validate upstream HTTPS certificates when using a proxy to Node.js - 4 upvotes, $0
- DNS rebinding in --inspect via invalid octal IP address to Node.js - 4 upvotes, $0
- Insecure loading of ICU data through ICU_DATA environment variable to Node.js - 4 upvotes, $0
- fs.openAsBlob() bypasses permission system to Node.js - 4 upvotes, $0
- Process-based permissions can be bypassed with the "inspector" module. to Node.js - 4 upvotes, $0
- fs module's file watching is not restricted by --allow-fs-read to Node.js - 4 upvotes, $0
- Hostname spoofing to Node.js - 3 upvotes, $0
- Out of order TLS handshake / application data messages lead to segmentation fault to Node.js - 3 upvotes, $0
- Fix for CVE-2018-12122 can be bypassed via keep-alive requests to Node.js - 3 upvotes, $0
- loader.js is not secure to Node.js - 3 upvotes, $0
- Child process environment injection via prototype pollution to Node.js - 3 upvotes, $0
- HTTP2 'unknownProtocol' cause Denial of Service by resource exhaustion to Node.js - 3 upvotes, $0
- Node 18 reads openssl.cnf from /home/iojs/build/... upon startup on MacOS to Node.js - 3 upvotes, $0
- Regular Expression Denial of Service in Headers to Node.js - 3 upvotes, $0
- OpenSSL engines can be used to bypass and/or disable the permission model to Node.js - 3 upvotes, $0
- DNS Max Responses for DOS to Node.js - 2 upvotes, $250
- CRLF Injection in legacy url API (url.parse().hostname) to Node.js - 2 upvotes, $0
- Use After Free in crypto.randomFill to Node.js - 2 upvotes, $0
- Node.js HTTP/2 Large Settings Frame DoS to Node.js - 2 upvotes, $0
- Http response is not ended although underlying socket is already destroyed to Node.js - 1 upvotes, $0
- Vulnerability in http-parser & embedded NULL header handling to Node.js - 1 upvotes, $0
- Node.js Certificate Verification Bypass via String Injection to Node.js - 1 upvotes, $0