CVE-2018-12123 — Vulnetix

Try Vulnetix Request Demo

CVE-2018-12123 PUBLISHED

Node.js: All versions prior to Node.js 6.15.0, 8.14.0, 10.14.0 and 11.3.0: Hostname spoofing in URL parser for javascript protocol: If a Node.js application is using url.parse() to determine the URL hostname, that hostname can be spoofed by using a mixed case "javascript:" (e.g. "javAscript:") protocol (other protocols are not affected). If security decisions are made about the URL based on the hostname, they may be incorrect.

EPSS 4.55% · 89.1th percentile

Risk Scores

EPSS Score

4.55%

89.1th percentile

Affected Products

Vendor	Product	Versions
Ubuntu:Pro:14.04:LTS	nodejs	0, 0.10.15~dfsg1-4, 0.10.21~dfsg1-1
Ubuntu:Pro:18.04:LTS	nodejs	8.10.0~dfsg-2ubuntu0.4, 0, 6.11.4~dfsg-1ubuntu1
Ubuntu:Pro:16.04:LTS	nodejs	4.2.6~dfsg-1ubuntu4.2+esm1, 4.2.6~dfsg-1ubuntu4.2+esm2, 4.2.6~dfsg-1ubuntu4.2+esm3

Timeline

Nov 28, 2018 CVE Published
Apr 14, 2021 EPSS Score
Oct 3, 2023 CVE Updated
Mar 17, 2025 EPSS Score
Mar 19, 2025 EPSS Score
Mar 29, 2025 EPSS Score
Mar 30, 2025 EPSS Score
Apr 2, 2025 EPSS Score
Apr 13, 2025 EPSS Score
Apr 15, 2025 EPSS Score
Apr 16, 2025 EPSS Score
Apr 20, 2025 EPSS Score

References

https://ubuntu.com/security/CVE-2018-12123 third-party-advisory
https://nodejs.org/en/blog/vulnerability/november-2018-security-releases/ third-party-advisory
https://ubuntu.com/security/notices/USN-4796-1 vendor-advisory
https://www.cve.org/CVERecord?id=CVE-2018-12123 third-party-advisory

Open in Interactive Console →