Directory Traversal

Overview Affected versions of serve-here resolve relative file paths, resulting in a directory traversal vulnerability. A malicious actor can use this vulnerability to access files outside of the intended directory root, which may result in the disclosure of private files on the vulnerable system...

CVE-2017-10910

creationtimestamp| type| source ---|---|--- 2017-12-28 22:51:58+00:00| published-proof-of-concept| https://github.com/advisories/GHSA-h9mj-fghc-664w...

Silently Runs Cryptocoin Miner

Overview Affected versions of hooka-tools were compromised and modified to silently run a cryptocoin miner in the background. All affected versions have been unpublished from the npm registry. Recommendation While this module has been unpublished, some versions may exist in mirrors or caches. Do...

CVE-2013-7454

creationtimestamp| type| source ---|---|--- 2017-10-24 18:33:36+00:00| published-proof-of-concept| https://github.com/advisories/GHSA-q4qq-fm7q-cwp5...

CVE-2015-1370

creationtimestamp| type| source ---|---|--- 2017-10-24 18:33:36+00:00| published-proof-of-concept| https://github.com/advisories/GHSA-cfjh-p3g4-3q2f...

CVE-2015-1369

creationtimestamp| type| source ---|---|--- 2017-10-24 18:33:36+00:00| published-proof-of-concept| https://github.com/advisories/GHSA-xqg8-cv3h-xppv...

CVE-2015-5688

creationtimestamp| type| source ---|---|--- 2017-10-24 18:33:36+00:00| published-proof-of-concept| https://github.com/advisories/GHSA-333x-9vgq-v2j4...

Open Redirect

Overview st is a module for serving static files. An attacker is able to craft a request that results in an HTTP 301 redirect to an entirely different domain. A request for: http://some.server.com//nodesecurity.org/%2e%2e would result in a 301 to //nodesecurity.org/%2e%2e which most browsers trea...

Regular Expression Denial of Service

Overview Affected versions of method-override are vulnerable to a regular expression denial of service vulnerability when untrusted user input is passed into the X-HTTP-Method-Override header. Recommendation Update to version 2.3.10 or later References GitHub Advisory...

Regular Expression Denial of Service

Overview Affected versions of string are vulnerable to regular expression denial of service when specifically crafted untrusted user input is passed into the underscore or unescapeHTML methods. Recommendation There is currently no direct patch for this vulnerability. Currently, the best solution ...

Regular Expression Denial of Service

Overview Affected versions of mime are vulnerable to regular expression denial of service when a mime lookup is performed on untrusted user input. Recommendation Update to version 2.0.3 or later. References - Issue 167 - GitHub Advisory...

Regular Expression Denial of Service

Overview Affected versions of debug are vulnerable to regular expression denial of service when untrusted user input is passed into the o formatter. As it takes 50,000 characters to block the event loop for 2 seconds, this issue is a low severity issue. Recommendation Version 2.x.x: Update to...

Regular Expression Denial of Service

Overview Affected versions of marked are vulnerable to a regular expression denial of service. The amplification in this vulnerability is significant, with 1,000 characters resulting in the event loop being blocked for around 6 seconds. Recommendation Update to version 0.3.9 or later. References ...

Regular Expression Denial of Service

Overview Affected versions of content are vulnerable to a regular expression denial of service when parsing malicious Content-Type and Content-Disposition headers. Recommendation Update to version 3.0.6 or later. References GitHub Advisory...

Regular Expression Denial of Service

Overview Affected versions of forwarded are vulnerable to regular expression denial of service when parsing specially crafted user input. Recommendation Update to version 0.1.2 or later References GitHub Advisory...

Hijacked Environment Variables

Overview The smb package is a piece of malware that steals environment variables and sends them to attacker controlled locations. All versions have been unpublished from the npm registry. Recommendation As this package is malware, if you find it installed in your environment, the real security...

Hijacked Environment Variables

Overview The mongose package is a piece of malware that steals environment variables and sends them to attacker controlled locations. All versions have been unpublished from the npm registry. Recommendation As this package is malware, if you find it installed in your environment, the real securit...

Hijacked Environment Variables

Overview The http-proxy.js package is a piece of malware that steals environment variables and sends them to attacker controlled locations. All versions have been unpublished from the npm registry. Recommendation As this package is malware, if you find it installed in your environment, the real...

Hijacked Environment Variables

Overview The noderequest package is a piece of malware that steals environment variables and sends them to attacker controlled locations. All versions have been unpublished from the npm registry. Recommendation As this package is malware, if you find it installed in your environment, the real...

Hijacked Environment Variables

Overview The nodemailer.js package is a piece of malware that steals environment variables and sends them to attacker controlled locations. All versions have been unpublished from the npm registry. Recommendation As this package is malware, if you find it installed in your environment, the real...