Module Security Vulnerabilities
Arbitrary code execution is possible in reduce-css-calc node module <=1.2.4 through crafted css. This makes cross sites scripting (XSS) possible on the client and arbitrary code injection possible on the server and user input is passed to the calc...
6.1CVSS
6.5AI Score
0.002EPSS
sequelize is an Object-relational mapping, or a middleman to convert things from Postgres, MySQL, MariaDB, SQLite and Microsoft SQL Server into usable data for NodeJS. A fix was pushed out that fixed potential SQL injection in sequelize 2.1.3 and...
9.8CVSS
9.7AI Score
0.002EPSS
console-io is a module that allows users to implement a web console in their application. A malicious user could bypass the authentication and execute any command that the user who is running the console-io application 2.2.13 and earlier is able to run. This means that if console-io was running...
9.8CVSS
9.6AI Score
0.003EPSS
express-restify-mongoose is a module to easily create a flexible REST interface for mongoose models. express-restify-mongoose 2.4.2 and earlier and 3.0.X through 3.0.1 allows a malicious user to send a request for GET /User?distinct=password and get all the passwords for all the users in the...
8.8CVSS
8.5AI Score
0.001EPSS
The package node-cli before 1.0.0 insecurely uses the lock_file and log_file. Both of these are temporary, but it allows the starting user to overwrite any file they have access...
3.5CVSS
3.9AI Score
0.001EPSS
negotiator is an HTTP content negotiator for Node.js and is used by many modules and frameworks including Express and Koa. The header for "Accept-Language", when parsed by negotiator 0.6.0 and earlier is vulnerable to Regular Expression Denial of Service via a specially crafted...
7.5CVSS
7.3AI Score
0.001EPSS
7.4CVSS
7.4AI Score
0.002EPSS
marked is an application that is meant to parse and compile markdown. Due to the way that marked 0.3.5 and earlier parses input, specifically HTML entities, it's possible to bypass marked's content injection protection (sanitize: true) to inject a javascript: URL. This flaw exists because...
6.1CVSS
6.2AI Score
0.001EPSS
electron-packager is a command line tool that packages Electron source code into .app and .exe packages. along with Electron. The --strict-ssl command line option in electron-packager >= 5.2.1 <= 6.0.0 || >=6.0.0 <= 6.0.2 defaults to false if not explicitly set to true. This could allow...
5.9CVSS
5.7AI Score
0.001EPSS
The npm module "shell-quote" 1.6.0 and earlier cannot correctly escape ">" and "<" operator used for redirection in shell. Applications that depend on shell-quote may also be vulnerable. A malicious user could perform code...
9.8CVSS
9.6AI Score
0.008EPSS
call is an HTTP router that is primarily used by the hapi framework. There exists a bug in call versions 2.0.1-3.0.1 that does not validate empty parameters, which could result in invalid input bypassing the route validation...
5.3CVSS
5.2AI Score
0.001EPSS
sequelize is an Object-relational mapping, or a middleman to convert things from Postgres, MySQL, MariaDB, SQLite and Microsoft SQL Server into usable data for NodeJS If user input goes into the limit or order parameters, a malicious user can put in their own SQL statements. This affects sequelize....
9.8CVSS
9.5AI Score
0.002EPSS
Minimatch is a minimal matching utility that works by converting glob expressions into JavaScript RegExp objects. The primary function, minimatch(path, pattern) in Minimatch 3.0.1 and earlier is vulnerable to ReDoS in the pattern...
7.5CVSS
7.3AI Score
0.001EPSS
jadedown is vulnerable to regular expression denial of service (ReDoS) when certain types of user input is passed...
7.5CVSS
7.4AI Score
0.001EPSS
jshamcrest is vulnerable to regular expression denial of service (ReDoS) when certain types of user input is passed in to the emailAddress...
7.5CVSS
7.4AI Score
0.001EPSS
The riot-compiler version version 2.3.21 has an issue in a regex (Catastrophic Backtracking) thats make it unusable under certain...
7.5CVSS
7.4AI Score
0.001EPSS
secure-compare 3.0.0 and below do not actually compare two strings properly. compare was actually comparing the first argument with itself, meaning the check passed for any two strings of the same...
5.3CVSS
5.3AI Score
0.001EPSS
i18n-node-angular is a module used to interact between i18n and angular without using additional resources. A REST API endpoint that is used for development in i18n-node-angular before 1.4.0 was not disabled in production environments a malicious user could fill up the server causing a Denial of...
8.2CVSS
8.2AI Score
0.001EPSS
restafary is a REpresentful State Transfer API for Creating, Reading, Using, Deleting files on a server from the web. Restafary before 1.6.1 is able to set up a root path, which should only allow it to run inside of that root path it...
4.9CVSS
5AI Score
0.001EPSS
Hapi versions less than 11.0.0 implement CORS incorrectly and allowed for configurations that at best returned inconsistent headers and at worst allowed cross-origin activities that were expected to be forbidden. If the connection has CORS enabled but one route has it off, and the route is not...
5.3CVSS
5.2AI Score
0.001EPSS
ansi2html is vulnerable to regular expression denial of service (ReDoS) when certain types of user input is passed...
7.5CVSS
7.4AI Score
0.001EPSS
A vulnerability was found in the ping functionality of the ws module before 1.0.0 which allowed clients to allocate memory by sending a ping frame. The ping functionality by default responds with a pong frame and the previously given payload of the ping frame. This is exactly what you expect, but.....
7.5CVSS
7.3AI Score
0.002EPSS
Certain input when passed into remarkable before 1.4.1 will bypass the bad protocol check that disallows the javascript: scheme allowing for javascript: url's to be injected into the rendered...
6.1CVSS
6.2AI Score
0.001EPSS
Versions less than 0.1.4 of the static file server module fancy-server are vulnerable to directory traversal. An attacker can provide input such as ../ to read files outside of the served...
7.5CVSS
7.4AI Score
0.002EPSS
The qs module before 1.0.0 does not have an option or default for specifying object depth and when parsing a string representing a deeply nested object will block the event loop for long periods of time. An attacker could leverage this to cause a temporary denial-of-service condition, for example,....
7.5CVSS
7.3AI Score
0.001EPSS
A common setup to deploy to gh-pages on every commit via a CI system is to expose a github token to ENV and to use it directly in the auth part of the url. In module versions < 0.9.1 the auth portion of the url is outputted as part of the grunt tasks logging function. If this output is publicly....
8.6CVSS
8.3AI Score
0.002EPSS
Droppy versions <3.5.0 does not perform any verification for cross-domain websocket requests. An attacker is able to make a specially crafted page that can send requests as the context of the currently logged in user. For example this means the malicious user could add a new admin account under....
8.8CVSS
8.5AI Score
0.001EPSS
The airbrake module 0.3.8 and earlier defaults to sending environment variables over HTTP. Environment variables can often times contain secret keys and other sensitive values. A malicious user could be on the same network as a regular user and intercept all the secret keys the user is sending....
5.9CVSS
5.5AI Score
0.001EPSS
MQTT before 3.4.6 and 4.0.x before 4.0.5 allows specifically crafted MQTT packets to crash the application, making a DoS attack feasible with very little...
7.5CVSS
7.3AI Score
0.003EPSS
A security issue was found in bittorrent-dht before 5.1.3 that allows someone to send a specific series of messages to a listening peer and get it to reveal internal...
7.5CVSS
7.4AI Score
0.002EPSS
mystem-fix is a node.js wrapper for MyStem morphology text analyzer by Yandex.ru mystem-fix downloads binary resources over HTTP, which leaves it vulnerable to MITM attacks. It may be possible to cause remote code execution (RCE) by swapping out the requested resources with an attacker controlled.....
8.1CVSS
8.3AI Score
0.002EPSS
stattic node module suffers from a Path Traversal vulnerability due to lack of validation of path, which allows a malicious user to read content of any file with known...
7.5CVSS
7.3AI Score
0.003EPSS
atob 2.0.3 and earlier allocates uninitialized Buffers when number is passed in input on Node.js 4.x and...
9.1CVSS
9.1AI Score
0.006EPSS
mysqljs was a malicious module published with the intent to hijack environment variables. It has been unpublished by...
7.5CVSS
7.4AI Score
0.002EPSS
node-tkinter was a malicious module published with the intent to hijack environment variables. It has been unpublished by...
7.5CVSS
7.4AI Score
0.002EPSS
windows-build-tools is a module for installing C++ Build Tools for Windows using npm. windows-build-tools versions below 1.0.0 download resources over HTTP, which leaves it vulnerable to MITM attacks. It may be possible to cause remote code execution (RCE) by swapping out the requested resources...
8.1CVSS
8.2AI Score
0.024EPSS
tkinter was a malicious module published with the intent to hijack environment variables. It has been unpublished by...
7.5CVSS
7.4AI Score
0.002EPSS
roslib-socketio - The standard ROS Javascript Library fork for add support to socket.io roslib-socketio downloads binary resources over HTTP, which leaves it vulnerable to MITM attacks. It may be possible to cause remote code execution (RCE) by swapping out the requested resources with an attacker....
8.1CVSS
8.2AI Score
0.002EPSS
i18next is a language translation framework. When using the .init method, passing interpolation options without passing an escapeValue will default to undefined rather than the assumed true. This can result in a cross-site scripting vulnerability because user input is assumed to be escaped, but is....
6.1CVSS
5.8AI Score
0.001EPSS
gaoxuyan is vulnerable to a directory traversal issue, giving an attacker access to the filesystem by placing "../" in the...
7.5CVSS
7.4AI Score
0.002EPSS
crud-file-server node module before 0.9.0 suffers from a Path Traversal vulnerability due to incorrect validation of url, which allows a malicious user to read content of any file with known...
7.5CVSS
7.2AI Score
0.002EPSS
The html-pages node module contains a path traversal vulnerabilities that allows an attacker to read any file from the server with...
9.8CVSS
9.4AI Score
0.005EPSS
massif is a Phantomjs fork massif downloads resources over HTTP, which leaves it vulnerable to MITM attacks. It may be possible to cause remote code execution (RCE) by swapping out the requested resources with an attacker controlled copy if the attacker is on the network or positioned in between...
8.1CVSS
8.2AI Score
0.002EPSS
dalek-browser-chrome-canary provides Google Chrome bindings for DalekJS. dalek-browser-chrome-canary downloads binary resources over HTTP, which leaves it vulnerable to MITM attacks. It may be possible to cause remote code execution (RCE) by swapping out the requested binary with an attacker...
8.1CVSS
8.2AI Score
0.002EPSS
selenium-binaries downloads Selenium related binaries for your OS. selenium-binaries downloads binary resources over HTTP, which leaves it vulnerable to MITM attacks. It may be possible to cause remote code execution (RCE) by swapping out the requested binary with an attacker controlled binary if.....
8.1CVSS
8.3AI Score
0.002EPSS
cue-sdk-node is a Corsair Cue SDK wrapper for node.js. cue-sdk-node downloads zipped resources over HTTP, which leaves it vulnerable to MITM attacks. It may be possible to cause remote code execution (RCE) by swapping out the requested zip file with an attacker controlled zip file if the attacker.....
8.1CVSS
8.3AI Score
0.002EPSS
ibapi is an Interactive Brokers API addon for NodeJS. ibapi downloads binary resources over HTTP, which leaves it vulnerable to MITM attacks. Before 2.5.6, it may be possible to cause remote code execution (RCE) by swapping out the requested binary with an attacker controlled binary if the...
8.1CVSS
8.3AI Score
0.009EPSS
baryton-saxophone is a module to install and launch Selenium Server for Mac, Linux and Windows. baryton-saxophone versions below 3.0.1 download binary resources over HTTP, which leaves it vulnerable to MITM attacks. It may be possible to cause remote code execution (RCE) by swapping out the...
8.1CVSS
8.2AI Score
0.002EPSS
ibm_db is an asynchronous/synchronous interface for node.js to IBM DB2 and IBM Informix. ibm_db before 1.0.2 downloads binary resources over HTTP, which leaves it vulnerable to MITM attacks. It may be possible to cause remote code execution (RCE) by swapping out the requested binary with an...
8.1CVSS
8.2AI Score
0.005EPSS
scala-bin is a binary wrapper for Scala. scala-bin downloads binary resources over HTTP, which leaves it vulnerable to MITM attacks. It may be possible to cause remote code execution (RCE) by swapping out the requested binary with an attacker controlled binary if the attacker is on the network or.....
8.1CVSS
8.2AI Score
0.002EPSS