CVE-2019-15604

Advisory lineage Upstream: 0 Downstream: 17

Downstream

ALPINE-CVE-2019-15604 DEBIAN-CVE-2019-15604 DSA-4669-1 MGASA-2020-0372 OPENSUSE-SU-2020:0293-1 RHSA-2020:0573

Modified

Published: 07 Feb 2020, 14:57

Last modified:30 Apr 2025, 22:24

Vulnerability Summary

Overall Risk (default)

medium

41/100

CVSS Score

7.5 HIGH

v3.1 (nvd)

EPSS Score

3.53% LOW

4% probability -1.19%

KEV

Not listed

Ransomware

No reports

Public exploits

1 found

Dark Web

Not detected

Timeline

07 Feb 2020, 14:57

Published

Vulnerability first disclosed

30 Apr 2025, 22:24

Last Modified

Vulnerability information updated

Description

Improper Certificate Validation in Node.js 10, 12, and 13 causes the process to abort when sending a crafted X.509 certificate

CVSS Metrics

v3.1•HIGH•Score: 7.5CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
v2.0•MEDIUM•Score: 5AV:N/AC:L/Au:N/C:N/I:N/A:P

EPSS Trends

Current EPSS score: 3.53%• Percentile: 88%

Techniques & Countermeasures

CWE-295•Improper Certificate Validation
The product does not validate, or incorrectly validates, a certificate.

Affected Systems

debian•debian_linux
10.0
nodejs•node
≥ 4.0, < 4.* | ≥ 5.0, < 5.* | ≥ 6.0, < 6.* | ≥ 7.0, < 7.* | ≥ 8.0, < 8.* | ≥ 9.0, < 9.* | ≥ 10.0, < 10.19.0 | ≥ 11.0, < 11.* | ≥ 12.0, < 12.15.0 | ≥ 13.0, < 13.8.0
nodejs•node.js
≥ 10.0.0, < 10.19.0 | ≥ 12.0.0, < 12.15.0 | ≥ 13.0.0, < 13.8.0
opensuse•leap
15.1
oracle•communications_cloud_native_core_network_function_cloud_native_environment
1.4.0
oracle•graalvm
19.3.1 | 20.0.0
redhat•enterprise_linux
8.0
redhat•enterprise_linux_eus
8.1 | 8.2 | 8.4 | 8.6
redhat•enterprise_linux_server_aus
8.2 | 8.4 | 8.6
redhat•enterprise_linux_server_tus
8.2 | 8.4 | 8.6
redhat•software_collections
1.0