HIGH🇵🇱 Wersja polska

CVE-2018-7160

CVSS 8.8v3.1pub. 2018-05-17upd. 2024-11-21

The Node.js inspector, in 6.x and later is vulnerable to a DNS rebinding attack which could be exploited to perform remote code execution. An attack is possible from malicious websites open in a web browser on the same computer, or another computer with network access to the computer running the Node.js process. A malicious website could use a DNS rebinding attack to trick the web browser to bypass same-origin-policy checks and to allow HTTP connections to localhost or to hosts on the local network. If a Node.js process with the debug port active is running on localhost or on a host on the local network, the malicious website could connect to it as a debugger, and get full code execution access.

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
  • Node.js

    APP
    Nodejs
    6.0.0 – 6.8.16.9.0 – 6.14.0 (bez)8.0.0 – 8.8.18.9.0 – 8.11.0 (bez)9.0.0 – 9.10.0 (bez)
🔵
CHECK WITH VENDOR
No clear patch data available. Check vendor references.
Tags
RCE
CWE
References

Related vulnerabilities

CVE-2026-48930CRITICAL9.8PL ✓ten sam produkt

Node.js TLS: błąd obsługi hostname z null-bajtem prowadzi do przekierowania authority

CVE-2025-55130CRITICAL9.1PL ✓ten sam produkt

Obejście modelu uprawnień w Node.js poprzez spreparowane symlinki

CVE-2026-21636CRITICAL10.0PL ✓ten sam produkt

Node.js: obejście modelu uprawnień przez Unix Domain Socket

CVE-2024-3566CRITICAL9.8PL ✓ten sam produkt

Command injection w aplikacjach Windows korzystających z CreateProcess

CVE-2024-21896CRITICAL9.8PL ✓ten sam produkt

Path traversal w Permission Model Node.js przez monkey-patching Buffer