- How many CVEs does Node.js have?
- Node.js has 247 published CVE records since 2012, including 55 in the last two years.
- How many Node.js CVEs are in CISA KEV?
- Yes — 1 of Node.js's CVEs are listed in CISA's Known Exploited Vulnerabilities catalog, confirmed exploited in the wild and carrying a CISA remediation deadline.
- Which Node.js products have the most CVEs?
- The Node.js products with the most published CVEs are node, node.js, undici, nodejs, llhttp.
- What are the most common weakness types in Node.js CVEs?
- Node.js's CVEs most often map to these CWE weakness types: CWE-400 (Uncontrolled Resource Consumption), CWE-444 (Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling')), CWE-284 (Improper Access Control), CWE-22 (Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')).
- Are there public exploits for Node.js vulnerabilities?
- Yes — 30 of Node.js's CVEs have a known public exploit.
- How many critical Node.js vulnerabilities are there?
- Node.js has 22 critical and 126 high-severity CVEs.
- What is the average severity of Node.js CVEs?
- The average CVSS base score across Node.js's scored CVEs is 6.9.