There are too many vulnerabilities for me to dig through and start pointing out. So instead of talking about each vulnerability, below is the vulnerability class pie.
Node.js instances publicly available and indexed by Shodan: ~550 servers.
Node.js source code is publicly available at Github.
Good luck and happy vulnerability hunting.
Defensive coding is a must.
Third party software packages need to be reviewed for vulnerabilities.
Treat Node.js as if it were untrusted software handling trusted data.