漏洞赏金情报

数据来源：HackerOne 公开披露报告 · 每 6 小时更新

浏览 HackerOne 平台公开披露的漏洞赏金报告，按严重程度、漏洞类型或目标项目筛选，关联 CVE 编号。

已披露报告

12,262

关联 CVE

1,866

参与项目数

343

近 7 天新增

0

严重度: All Critical High Medium Low

类型: 全部 Information Disclosure 1173 Cross-site Scripting (XSS) … 747 Violation of Secure Design … 719 Improper Access Control - Generic 658 Improper Authentication - Generic 654 Cross-site Scripting (XSS) … 513 Uncontrolled Resource Consumption 483 Cross-site Scripting (XSS) … 461 Cross-Site Request Forgery (CSRF) 421 Privilege Escalation 375

项目筛选：nodejs✕

Node.js Cryptographic Issues - Generic (CWE-310)CVE-2026-21717

Medium

2026-03-30

Timing side-channel in HMAC verification via memcmp() in crypto_hmac.cc leads to potential MAC forgery

Node.js Cryptographic Issues - Generic (CWE-310)CVE-2026-21713

Medium

2026-03-30

Node.js Permission Model bypass: UDS server bind/listen works without `--allow-net`

Node.js Improper Access Control - Generic (CWE-284)CVE-2026-21711

Medium

2026-03-30

Memory leak in Node.js HTTP/2 server via WINDOW_UPDATE on stream 0 leads to resource exhaustion

Node.js Missing Release of Memory after Effective Lifetime (CWE-401)CVE-2026-21714

Medium

2026-03-30

Assertion error in node_url.cc via malformed URL format leads to Node.js crash

Node.js Reachable Assertion (CWE-617)CVE-2026-21712

Medium

2026-03-26

TLS PSK/ALPN Callback Exceptions Bypass Error Handlers, Causing DoS and FD Leak

Node.js Uncontrolled Resource Consumption (CWE-400)CVE-2026-21637

Medium

2026-02-12

Node.js permission model bypass via unchecked Unix Domain Socket connections (UDS)

Node.js Server-Side Request Forgery (SSRF) (CWE-918)CVE-2026-21636

Medium

2026-02-12

Uncatchable "Maximum call stack size exceeded" error on Node.js via async_hooks leads to process crashes bypassing error handlers

Node.js Improper Handling of Exceptional Conditions (CWE-755)CVE-2025-59466

Medium

2026-02-12

Memory leak that enables remote Denial of Service against applications processing TLS client certificates

Node.js Uncontrolled Resource Consumption (CWE-400)CVE-2025-59464

Medium

2026-02-12

Improper HTTP header block termination in llhttp

Node.js HTTP Request Smuggling (CWE-444)CVE-2025-23167

Medium

2025-06-13

WASI sandbox escape via symlink

Node.js Privilege Escalation (CAPEC-233)

Medium

2025-05-24

GOAWAY HTTP/2 frames cause memory leak outside heap

Node.js Uncontrolled Resource Consumption (CWE-400)CVE-2025-23085

Medium

2025-02-06

Path traversal by drive name in Windows environment

Node.js Path Traversal (CWE-22)CVE-2025-23084

Medium

2025-01-27

Usage of unsafe random function in undici for choosing boundary

Node.js Use of Insufficiently Random Values (CWE-330)CVE-2025-22150

Medium

2025-01-23

Bypass network import restriction via data URL

Node.js Improper Access Control - Generic (CWE-284)CVE-2024-22020

Medium

2024-07-08

HTTP Request Smuggling via Content Length Obfuscation

Node.js HTTP Request Smuggling (CWE-444)CVE-2024-27982

Medium

2024-05-03

Denial of Service by resource exhaustion in fetch() brotli decoding

Node.js Uncontrolled Resource Consumption (CWE-400)CVE-2024-22025

Medium

2024-03-16

Improper handling of wildcards in --allow-fs-read and --allow-fs-write

Node.js Improper Access Control - Generic (CWE-284)CVE-2024-21890

Medium

2024-02-15

Node.js is vulnerable to the Marvin Attack (timing variant of the Bleichenbacher attack against PKCS#1 v1.5 padding)

Node.js Use of a Broken or Risky Cryptographic Algorithm (CWE-327)CVE-2023-46809

Medium

2024-02-15

Integrity checks according to policies can be circumvented

Node.js Insufficient Verification of Data Authenticity (CWE-345)CVE-2023-38552

Medium

2023-10-13

高频漏洞类型

最活跃项目

项目	报告数	最高赏金
U.S. Dept Of Defense	896	—
Internet Bug Bounty	817	$2,257
HackerOne	609	—
Nextcloud	584	—
Shopify	465	—
curl	464	—
Node.js third-party modules	307	—
GitLab	258	—
X / xAI	250	$7,000
Uber	239	—