CVE-2018-12123

moderate-risk

Published 2018-11-28

Node.js: All versions prior to Node.js 6.15.0, 8.14.0, 10.14.0 and 11.3.0: Hostname spoofing in URL parser for javascript protocol: If a Node.js application is using url.parse() to determine the URL hostname, that hostname can be spoofed by using a mixed case "javascript:" (e.g. "javAscript:") protocol (other protocols are not affected). If security decisions are made about the URL based on the hostname, they may be incorrect.

Do I need to act?

4.6% chance of exploitation in next 30 days

EPSS score — moderate exploit probability

Not on CISA KEV list

No confirmed active exploitation reported to CISA

Patch status unknown

Check vendor advisories for fix availability and mitigation guidance

CVSS 4.3/10 Medium

NETWORK / LOW complexity

Affected Products (2)

Node.Js

Affected Vendors

Nodejs

References (7)

Third Party Advisory https://access.redhat.com/errata/RHSA-2019:1821

Patch https://nodejs.org/en/blog/vulnerability/november-2018-security-releases/

Third Party Advisory https://security.gentoo.org/glsa/202003-48

Third Party Advisory https://access.redhat.com/errata/RHSA-2019:1821

Patch https://nodejs.org/en/blog/vulnerability/november-2018-security-releases/

Third Party Advisory https://security.gentoo.org/glsa/202003-48

https://security.netapp.com/advisory/ntap-20241213-0008/

/ 100

moderate-risk

Severity 18/34 · Moderate

Exploitability 8/34 · Low

Exposure 7/34 · Low