Node.js: NULL pointer dereference in node:sqlite DatabaseSync#applyChangeset() via malformed SQLite changeset

Summary: A 19-byte malformed SQLite changeset passed to Node.js node:sqlite DatabaseSyncapplyChangeset causes a native NULL pointer dereference and terminates the Node.js process. Description: The built-in Node.js node:sqlite API exposes DatabaseSyncapplyChangesetchangeset, options, which accepts...

EUVD-2018-0341

Malware in sbrugna...

EUVD-2025-16915

Malicious code in bioql PyPI...

MAL-2025-6742 Malicious code in node-sqlite-fly-tutorial (npm)

The package communicates with a domain associated with malicious activity...

Malicious code in node-sqlite-fly-tutorial (npm)

The package communicates with a domain associated with malicious activity...

Deno has --allow-read / --allow-write permission bypass in `node:sqlite`

Summary It is possible to bypass Deno's read/write permission checks by using ATTACH DATABASE statement. PoC js // poc.js import DatabaseSync from "node:sqlite" const db = new DatabaseSync":memory:"; db.exec"ATTACH DATABASE 'test.db' as test;"; db.exec"CREATE TABLE test.test id INTEGER PRIMARY KE...

GHSA-8VXJ-4CPH-C596 Deno has --allow-read / --allow-write permission bypass in `node:sqlite`

Summary It is possible to bypass Deno's read/write permission checks by using ATTACH DATABASE statement. PoC js // poc.js import DatabaseSync from "node:sqlite" const db = new DatabaseSync":memory:"; db.exec"ATTACH DATABASE 'test.db' as test;"; db.exec"CREATE TABLE test.test id INTEGER PRIMARY KE...

--allow-read / --allow-write permission bypass in `node:sqlite`

It is possible to bypass Deno's read/write permission checks by using ATTACH DATABASE statement. PoC // poc.js import DatabaseSync from "node:sqlite" const db = new DatabaseSync":memory:"; db.exec"ATTACH DATABASE 'test.db' as test;"; db.exec"CREATE TABLE test.test id INTEGER PRIMARY KEY, name...

RUSTSEC-2025-0138 --allow-read / --allow-write permission bypass in `node:sqlite`

It is possible to bypass Deno's read/write permission checks by using ATTACH DATABASE statement. PoC // poc.js import DatabaseSync from "node:sqlite" const db = new DatabaseSync":memory:"; db.exec"ATTACH DATABASE 'test.db' as test;"; db.exec"CREATE TABLE test.test id INTEGER PRIMARY KEY, name...

@fto-consult/electron (>=1.0.0 <=1.0.43), @fto-consult/electron-gen (>=1.1.0 <=3.0.0) +2 more potentially affected by CVE-2017-16048 via node-sqlite (=0.0.2-security)

node-sqlite NPM version =0.0.2-security is affected by a known vulnerability. The following packages have a transitive dependency on node-sqlite and may be impacted: - @fto-consult/electron =1.0.0, =1.1.0, =7.6.1, =1.0.1, =1.1.6 Source cves: CVE-2017-16048 Source advisory: OSV:GHSA-X52F-H74P-9JH8...

node-sqlite is malware

The node-sqlite package is a piece of malware that steals environment variables and sends them to attacker controlled locations. All versions have been unpublished from the npm registry. Recommendation As this package is malware, if you find it installed in your environment, the real security...

Malicious JavaScript Package Detection

Detection and reporting of known malicious JavaScript packages or package versions. SPDX-FileCopyrightText: 2018 Greenbone AG Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders. SPDX-License-Identifier: GPL-2.0-only ifdescripti...

Malicious Module

node-sqlite was a malicious module as it is developed to hijack environment variables and send it to attacker's controlled location...

CVE-2017-16048

node-sqlite was a malicious module published with the intent to hijack environment variables. It has been unpublished by npm...

Code injection

node-sqlite was a malicious module published with the intent to hijack environment variables. It has been unpublished by npm...

CVE-2017-16048

The CVE-2017-16048 entry covers the node-sqlite package, identified as malware that hijacks environment variables. Connected advisories confirm that the malware steals environment variables and exfiltrates to attacker-controlled locations; all versions were unpublished from npm. Practical impact ...

CVE-2017-16048

node-sqlite was a malicious module published with the intent to hijack environment variables. It has been unpublished by npm...