Prototype Pollution

Overview Versions of default-deep before 0.2.4 are vulnerable to prototype pollution Recommendation Update to version 0.2.4 or later. References - HackerOne Report - GitHub Advisory...

Prototype Pollution

Overview Versions of assign-deep before 0.4.7 are vulnerable to prototype pollution via merging functions. Recommendation Update to version 0.4.7 or later. References - HackerOne Report - GitHub Advisory...

Prototype Pollution

Overview Versions of mixin-deep before 1.3.1 are vulnerable to prototype pollution via merging functions. Recommendation Update to version 1.3.1 or later. References - HackerOne Report - GitHub Advisory...

Path Traversal

Overview Versions of resolve-path before 1.4.0 are vulnerable to path traversal. resolve-path relative path resolving suffers from a lack of file path sanitization for windows based paths. Recommendation Update to version 1.4.0 or later. References - HackerOne Report - GitHub Advisory...

Path Traversal

Overview Versions of public before 0.1.3 are vulnerable to path traversal. This is due to lack of file path sanitization which could lead to any file the parent process has access to on the server to be read by malicious user. Recommendation Update to version 0.1.3 or later. References - Github...

Sandbox Bypass Leading to Arbitrary Code Execution

Overview Versions of constantinople prior to 3.1.1 are vulnerable to a sandbox bypass which can lead to arbitrary code execution. Recommendation Update to version 3.1.1 or later. References GitHub Advisory...

Regular Expression Denial of Service

Overview ssri 5.2.2-6.0.1 and 7.0.0-7.1.1, processes SRIs using a regular expression which is vulnerable to a denial of service. Malicious SRIs could take an extremely long time to process, leading to denial of service. This issue only affects consumers using the strict option. Recommendation...

CVE-2017-18077

creationtimestamp| type| source ---|---|--- 2018-01-29 15:50:46+00:00| published-proof-of-concept| https://github.com/advisories/GHSA-832h-xg76-4gv6...

Directory Traversal

Overview Affected versions of serve do not properly handle %2e . and %2f / characters, and allow the, characters to be used in paths. This can be used to traverse the directory tree and list content of any directory the user running the process has access to. Mitigating factors: This vulnerabilit...

Directory Traversal

Overview Affected versions of serve-here resolve relative file paths, resulting in a directory traversal vulnerability. A malicious actor can use this vulnerability to access files outside of the intended directory root, which may result in the disclosure of private files on the vulnerable system...

CVE-2017-10910

creationtimestamp| type| source ---|---|--- 2017-12-28 22:51:58+00:00| published-proof-of-concept| https://github.com/advisories/GHSA-h9mj-fghc-664w...

Silently Runs Cryptocoin Miner

Overview Affected versions of hooka-tools were compromised and modified to silently run a cryptocoin miner in the background. All affected versions have been unpublished from the npm registry. Recommendation While this module has been unpublished, some versions may exist in mirrors or caches. Do...

CVE-2013-7454

creationtimestamp| type| source ---|---|--- 2017-10-24 18:33:36+00:00| published-proof-of-concept| https://github.com/advisories/GHSA-q4qq-fm7q-cwp5...

CVE-2015-1370

creationtimestamp| type| source ---|---|--- 2017-10-24 18:33:36+00:00| published-proof-of-concept| https://github.com/advisories/GHSA-cfjh-p3g4-3q2f...

CVE-2015-1369

creationtimestamp| type| source ---|---|--- 2017-10-24 18:33:36+00:00| published-proof-of-concept| https://github.com/advisories/GHSA-xqg8-cv3h-xppv...

CVE-2015-5688

creationtimestamp| type| source ---|---|--- 2017-10-24 18:33:36+00:00| published-proof-of-concept| https://github.com/advisories/GHSA-333x-9vgq-v2j4...

Open Redirect

Overview st is a module for serving static files. An attacker is able to craft a request that results in an HTTP 301 redirect to an entirely different domain. A request for: http://some.server.com//nodesecurity.org/%2e%2e would result in a 301 to //nodesecurity.org/%2e%2e which most browsers trea...

Regular Expression Denial of Service

Overview Affected versions of method-override are vulnerable to a regular expression denial of service vulnerability when untrusted user input is passed into the X-HTTP-Method-Override header. Recommendation Update to version 2.3.10 or later References GitHub Advisory...

Regular Expression Denial of Service

Overview Affected versions of string are vulnerable to regular expression denial of service when specifically crafted untrusted user input is passed into the underscore or unescapeHTML methods. Recommendation There is currently no direct patch for this vulnerability. Currently, the best solution ...

Regular Expression Denial of Service

Overview Affected versions of mime are vulnerable to regular expression denial of service when a mime lookup is performed on untrusted user input. Recommendation Update to version 2.0.3 or later. References - Issue 167 - GitHub Advisory...