32 matches found
EUVD-2025-149595
Malicious code in teagood-nakama51 npm...
Malicious code in teagood-nakama12 (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector e5fabc6f03ab03c51bd9d0037fd778488de89286a6912fce162530ced5eb60a9 This package appears to be part of the tea.xyz token reward campaign that flooded npm. These packages typically contain autopublish scripts auto.js,...
Malicious code in teagood-nakama99 (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector fb9667f1d8c307b6ee30781a27ea88797c44f03e4eac7972a2e1f418ed110644 This package appears to be part of the tea.xyz token reward campaign that flooded npm. These packages typically contain autopublish scripts auto.js,...
Malicious code in teagood-nakama87 (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector f65973b688d978e575682715f377791d748a247fed666e26f22c029a46f1a562 This package appears to be part of the tea.xyz token reward campaign that flooded npm. These packages typically contain autopublish scripts auto.js,...
MAL-2025-167180 Malicious code in teagood-nakama17 (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 606240b216754863ae5967b2d967f99c1fb259c9b828afc7debe6dbaa1045c89 This package appears to be part of the tea.xyz token reward campaign that flooded npm. These packages typically contain autopublish scripts auto.js,...
EUVD-2025-149631
Malicious code in teagood-nakama18 npm...
EUVD-2025-149608
Malicious code in teagood-nakama4 npm...
EUVD-2025-149632
Malicious code in teagood-nakama17 npm...
EUVD-2025-149564
Malicious code in teagood-nakama8 npm...
EUVD-2025-149638
Malicious code in teagood-nakama11 npm...
MAL-2025-167190 Malicious code in teagood-nakama26 (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector ca96be263c21f110b0f5aa3185964ac321f3b16a2ef7187fbe9d6f3fa69135b3 This package appears to be part of the tea.xyz token reward campaign that flooded npm. These packages typically contain autopublish scripts auto.js,...
Multiple user accounts via same email and username
Description Nakama console does not validate uppercase/lowercase letters when creating a new user. This can be abused to create multiple user accounts with same email and username. Proof of Concept HTTP Request 1 request POST /v2/console/user HTTP/1.1 Host: 192.168.1.16:7351 Authorization: Bearer...
Insufficient Session Expiration
Description The Nakama Console session is not invalidated when the user is deleted. Proof of Concept Steps to reproduce: 1. Log in to the Nakama Console as admin and create a user [email protected] 2. In a separate browser or private window log in to the account [email protected] 3. In the admin session,...
User Enumeration via Response Timing
Description There is a significant timing difference in the login functionality of the Nakama Console for valid and invalid email addresses or usernames. Proof of Concept 1. Login to the Nakama Console as admin and create a User [email protected] 2. Logout 3. Attempt a Login with an incorrect passwor...
The vulnerability of the network software for social games and heroiclabs/nakama applications relates to insufficient restrictions on authentication attempts, allowing a perpetrator to gain unauthorized access to protected information.
The vulnerability of the network software for social games and heroiclabs/nakama applications is related to insufficient restrictions on authentication attempts. Exploiting this vulnerability can allow a malicious actor, operating remotely, to gain unauthorized access to protected information...
Information Disclosure
github.com/heroiclabs/nakama is vulnerable to information disclosure. The vulnerability exists because the unsuccessful login attempts on the console are not properly restricted which allows an attacker to make brute-force attacks and gain access to user account details...
Insufficient Session Expiration in Nakama
Old session tokens can be used to authenticate to the application and send authenticated requests...
GHSA-XV59-GC3R-RF92 Insufficient Session Expiration in Nakama
Old session tokens can be used to authenticate to the application and send authenticated requests...
GHSA-8R94-4H3C-939F Improper Restriction of Excessive Authentication Attempts
Nakama Console does not enforce any limit for the number of unsuccessful login attempts...
Improper Restriction of Excessive Authentication Attempts
Nakama Console does not enforce any limit for the number of unsuccessful login attempts...