TOPNODEJS.md

June 11, 2026 · View on GitHub

Top reports from Node.js program at HackerOne:

  1. HTTP Request Smuggling due to CR-to-Hyphen conversion to Node.js - 134 upvotes, $0
  2. Improper HTTP header block termination in llhttp to Node.js - 122 upvotes, $0
  3. HTTP request smuggling using malformed Transfer-Encoding header to Node.js - 104 upvotes, $0
  4. TLS PSK/ALPN Callback Exceptions Bypass Error Handlers, Causing DoS and FD Leak to Node.js - 78 upvotes, $0
  5. "Assertion failed" in node::http2::Http2Session::~Http2Session() leads to HTTP/2 server crash to Node.js - 65 upvotes, $0
  6. Path traversal by drive name in Windows environment to Node.js - 59 upvotes, $0
  7. Corrupted pointer in node::fs::ReadFileUtf8(const FunctionCallbackInfo<Value>& args) when args[0] is a string. to Node.js - 59 upvotes, $0
  8. Incomplete fix for CVE-2026-21637: loadSNI() in _tls_wrap.js lacks try/catch leading to Remote DoS to Node.js - 57 upvotes, $0
  9. CWE-195 in ExternalMemoryAccounter::Increase() to Node.js - 54 upvotes, $0
  10. HashDoS in V8 to Node.js - 52 upvotes, $0
  11. Node.js permission model bypass via unchecked Unix Domain Socket connections (UDS) to Node.js - 49 upvotes, $0
  12. Http request splitting to Node.js - 45 upvotes, $0
  13. WASI sandbox escape via symlink to Node.js - 44 upvotes, $0
  14. Worker permission bypass via InternalWorker leak in diagnostics to Node.js - 42 upvotes, $0
  15. Timeout-based race conditions make Uint8Array/Buffer.alloc non-zerofilled to Node.js - 42 upvotes, $0
  16. Assertion error in node_url.cc via malformed URL format leads to Node.js crash to Node.js - 39 upvotes, $0
  17. Windows Device Names Still Allow Path Traversal in UNC Paths After CVE-2025-27210 Fix to Node.js - 38 upvotes, $0
  18. Improper error handling in async cryptographic operations crashes process to Node.js - 37 upvotes, $0
  19. Path traversal by monkey-patching Buffer internals to Node.js - 36 upvotes, $0
  20. registry.nodejs.org Subdomain Takeover to Node.js - 35 upvotes, $0
  21. Permission model improperly processes UNC paths to Node.js - 35 upvotes, $0
  22. Potential HTTP Request Smuggling in nodejs to Node.js - 34 upvotes, $250
  23. Windows Device Names (CON, PRN, AUX) Bypass Path Traversal Protection in path.normalize() to Node.js - 34 upvotes, $0
  24. Uncatchable "Maximum call stack size exceeded" error on Node.js via async_hooks leads to process crashes bypassing error handlers to Node.js - 34 upvotes, $0
  25. fs.futimes() Bypasses Read-Only Permission Model to Node.js - 33 upvotes, $0
  26. FS Permissions Bypass to Node.js - 33 upvotes, $0
  27. Memory leak that enables remote Denial of Service against applications processing TLS client certificates to Node.js - 32 upvotes, $0
  28. Node.js: TLS session reuse can lead to hostname verification bypass to Node.js - 29 upvotes, $0
  29. Node.js: use-after-free in TLSWrap to Node.js - 27 upvotes, $0
  30. Denial of Service by resource exhaustion in fetch() brotli decoding to Node.js - 27 upvotes, $0
  31. setuid() does not drop all privileges due to io_uring to Node.js - 24 upvotes, $0
  32. Usage of unsafe random function in undici for choosing boundary to Node.js - 24 upvotes, $0
  33. Unbounded decompression chain in HTTP responses on Node.js Fetch API via Content-Encoding leads to resource exhaustion to Node.js - 24 upvotes, $0
  34. Code injection and privilege escalation through Linux capabilities to Node.js - 23 upvotes, $0
  35. Take over subdomain undici.nodejs.org.cdn.cloudflare.net to Node.js - 22 upvotes, $0
  36. Missing AES-GCM Authentication Tag Validation and Improper Deprecation Handling to Node.js - 22 upvotes, $0
  37. Built-in TLS module unexpectedly treats "rejectUnauthorized: undefined" as "rejectUnauthorized: false", disabling all certificate validation to Node.js - 20 upvotes, $150
  38. Multiple permission model bypasses due to improper path traversal sequence sanitization to Node.js - 20 upvotes, $0
  39. Improper handling of wildcards in --allow-fs-read and --allow-fs-write to Node.js - 20 upvotes, $0
  40. fs.fchown/fchmod bypasses permission model to Node.js - 20 upvotes, $0
  41. Bypass incomplete fix of CVE-2024-27980 to Node.js - 20 upvotes, $0
  42. Permissions can be bypassed via arbitrary code execution through abusing libuv signal pipes to Node.js - 20 upvotes, $0
  43. Denial of Service via __proto__ header name in req.headersDistinct (Uncaught TypeError crashes Node.js process) to Node.js - 20 upvotes, $0
  44. HTTP Request Smuggling due to accepting space before colon to Node.js - 18 upvotes, $250
  45. Proxy-Authorization header is not cleared in cross-domain redirect in undici to Node.js - 18 upvotes, $0
  46. HTTP Request Smuggling via Content Length Obfuscation to Node.js - 18 upvotes, $0
  47. Bypass network import restriction via data URL to Node.js - 18 upvotes, $0
  48. fs.lstat bypasses permission model to Node.js - 18 upvotes, $0
  49. HashDoS in V8 to Node.js - 18 upvotes, $0
  50. DNS rebinding in --inspect (insufficient fix of CVE-2022-32212 affecting macOS devices) to Node.js - 16 upvotes, $0
  51. Node.js is vulnerable to the Marvin Attack (timing variant of the Bleichenbacher attack against PKCS#1 v1.5 padding) to Node.js - 16 upvotes, $0
  52. Remotely trigger an assertion on a TLS server with a malformed certificate string to Node.js - 15 upvotes, $0
  53. Prototype pollution via console.table properties to Node.js - 15 upvotes, $0
  54. Timing side-channel in HMAC verification via memcmp() in crypto_hmac.cc leads to potential MAC forgery to Node.js - 15 upvotes, $0
  55. Malformed HTTP/2 SETTINGS frame leads to reachable assert to Node.js - 14 upvotes, $250
  56. Permission Model Bypass in realpathSync.native Allows File Existence Disclosure to Node.js - 14 upvotes, $0
  57. http: Reading unprocessed HTTP request with unbounded chunk extension allows DoS attacks to Node.js - 13 upvotes, $0
  58. GOAWAY HTTP/2 frames cause memory leak outside heap to Node.js - 13 upvotes, $0
  59. Off-by-slash vulnerability in nodejs.org and iojs.org to Node.js - 12 upvotes, $0
  60. url.parse() hostname spoofing via javascript: URIs to Node.js - 11 upvotes, $0
  61. HTTP header values do not have trailing OWS trimmed to Node.js - 11 upvotes, $0
  62. Weak randomness in WebCrypto keygen to Node.js - 11 upvotes, $0
  63. CRLF Injection in Nodejs ‘undici’ via host to Node.js - 11 upvotes, $0
  64. fetch with integrity option is too lax when algorithm is specified but hash value is in incorrect to Node.js - 11 upvotes, $0
  65. Node Installer Local Privilege Escalation to Node.js - 10 upvotes, $0
  66. Multiple HTTP/2 DOS Issues to Node.js - 9 upvotes, $0
  67. HTTP Request Smuggling Due To Improper Delimiting of Header Fields to Node.js - 9 upvotes, $0
  68. Proxy-Authorization header not cleared on cross-origin redirect in undici.request to Node.js - 9 upvotes, $0
  69. Node.js Permission Model bypass: UDS server bind/listen works without --allow-net to Node.js - 9 upvotes, $0
  70. Denial of Service by resource exhaustion CWE-400 due to unfinished HTTP/1.1 requests to Node.js - 8 upvotes, $250
  71. Slowloris, body parsing to Node.js - 8 upvotes, $250
  72. Your page has 2 blocking CSS resources. This causes a delay in rendering your page. to Node.js - 8 upvotes, $0
  73. The use of proto in process.mainModule.proto.require() bypasses the permission system in Node v19.6.1 to Node.js - 8 upvotes, $0
  74. napi_get_value_string_X allow various kinds of memory corruption to Node.js - 7 upvotes, $250
  75. HTTP Request Smuggling Due to Incorrect Parsing of Multi-line Transfer-Encoding to Node.js - 7 upvotes, $0
  76. HTTP Request Smuggling Due to Flawed Parsing of Transfer-Encoding to Node.js - 7 upvotes, $0
  77. Permissions policies can be bypassed via process.mainModule to Node.js - 7 upvotes, $0
  78. HTTP Request Smuggling via Empty headers separated by CR to Node.js - 7 upvotes, $0
  79. DiffieHellman doesn't generate keys after setting a key to Node.js - 7 upvotes, $0
  80. NULL pointer dereference in node:sqlite DatabaseSync#applyChangeset() via malformed SQLite changeset to Node.js - 7 upvotes, $0
  81. HTTP Request Smuggling due to ignoring chunk extensions to Node.js - 6 upvotes, $250
  82. HTTP/2 Denial of Service Vulnerability to Node.js - 6 upvotes, $0
  83. HTTP Request Smuggling Due to Incorrect Parsing of Multi-line Transfer-Encoding (improper fix for CVE-2022-32215) to Node.js - 6 upvotes, $0
  84. HTTP Request Smuggling Due to Incorrect Parsing of Header Fields to Node.js - 6 upvotes, $0
  85. fs.openAsBlob() bypasses permission system to Node.js - 6 upvotes, $0
  86. Process-based permissions can be bypassed with the "inspector" module. to Node.js - 6 upvotes, $0
  87. Memory leak in Node.js HTTP/2 server via WINDOW_UPDATE on stream 0 leads to resource exhaustion to Node.js - 6 upvotes, $0
  88. CVE-2024-36137 Patch Bypass - FileHandle.chmod/chown to Node.js - 6 upvotes, $0
  89. Memory Corruption via TOCTOU Race in SharedArrayBuffer UTF-8 Decode (StringBytes::Encode) to Node.js - 6 upvotes, $0
  90. DNS rebinding in --inspect (insufficient fix of CVE-2018-7160) to Node.js - 5 upvotes, $500
  91. Pull Request #12949 - Security Implications without CVE assignment to Node.js - 5 upvotes, $0
  92. OOB read in libuv to Node.js - 5 upvotes, $0
  93. CVE-2022-32213 bypass via obs-fold mechanic to Node.js - 5 upvotes, $0
  94. Multiple OpenSSL error handling issues in nodejs crypto library to Node.js - 5 upvotes, $0
  95. Filesystem experimental permissions policy does not handle path traversal cases. to Node.js - 5 upvotes, $0
  96. fs module's file watching is not restricted by --allow-fs-read to Node.js - 5 upvotes, $0
  97. Denial of Service: nghttp2 use of uninitialized pointer to Node.js - 4 upvotes, $0
  98. fs.realpath.native on darwin may cause buffer overflow to Node.js - 4 upvotes, $0
  99. Unexpected input validation of octal literals in nodejs v15.12.0 and below returns defined values for all undefined octal literals. to Node.js - 4 upvotes, $0
  100. Improper handling of untypical characters in domain names to Node.js - 4 upvotes, $0
  101. Undici does not use CONNECT or otherwise validate upstream HTTPS certificates when using a proxy to Node.js - 4 upvotes, $0
  102. DNS rebinding in --inspect via invalid octal IP address to Node.js - 4 upvotes, $0
  103. Insecure loading of ICU data through ICU_DATA environment variable to Node.js - 4 upvotes, $0
  104. OpenSSL engines can be used to bypass and/or disable the permission model to Node.js - 4 upvotes, $0
  105. Hostname spoofing to Node.js - 3 upvotes, $0
  106. Out of order TLS handshake / application data messages lead to segmentation fault to Node.js - 3 upvotes, $0
  107. Fix for CVE-2018-12122 can be bypassed via keep-alive requests to Node.js - 3 upvotes, $0
  108. loader.js is not secure to Node.js - 3 upvotes, $0
  109. Child process environment injection via prototype pollution to Node.js - 3 upvotes, $0
  110. HTTP2 'unknownProtocol' cause Denial of Service by resource exhaustion to Node.js - 3 upvotes, $0
  111. Node 18 reads openssl.cnf from /home/iojs/build/... upon startup on MacOS to Node.js - 3 upvotes, $0
  112. Regular Expression Denial of Service in Headers to Node.js - 3 upvotes, $0
  113. DNS Max Responses for DOS to Node.js - 2 upvotes, $250
  114. CRLF Injection in legacy url API (url.parse().hostname) to Node.js - 2 upvotes, $0
  115. Use After Free in crypto.randomFill to Node.js - 2 upvotes, $0
  116. Node.js HTTP/2 Large Settings Frame DoS to Node.js - 2 upvotes, $0
  117. Node.js Certificate Verification Bypass via String Injection to Node.js - 2 upvotes, $0
  118. Http response is not ended although underlying socket is already destroyed to Node.js - 1 upvotes, $0
  119. Vulnerability in http-parser & embedded NULL header handling to Node.js - 1 upvotes, $0