Node.js third-party modules: url-parse package return wrong hostname

Jul 19th 2018 - lolwaleet submitted a report to Node.js third-party modules. I would like to report url-parse package return wrong hostname in url-parse. Module module name: url-parse version: 1.4.1 npm page: https://www.npmjs.com/package/url-parse Module Description The url-parse method exposes...

CVE-2016-10594

ipip is a Node.js module to query geolocation information for an IP or domain, based on database by ipip.net. ipip downloads data resources over HTTP, which leaves it vulnerable to MITM attacks...

DNSBin - Tool To Test Data Exfiltration Through DNS (RCE and XXE)

DNSBin is a simple tool to test data exfiltration through DNS and help test vulnerability like RCE or XXE when the environment has significant constraint. The project is in two parts, the first one is the web server and it's component. It offers a basic web UI, for most cases you won't need more...

Node.js third-party modules: `protobufjs` is vulnerable to ReDoS when parsing crafted invalid *.proto files

I would like to report a ReDoS in protobufjs It allows to cause Denial of Service by trying to parse or load a crafted .proto file. Module module name: protobufjs version: 6.8.5 npm page: https://www.npmjs.com/package/MODULE NAME Module Description Protocol Buffers are a language-neutral,...

High severity vulnerability that affects electron

Untrusted search path vulnerability in Atom Electron before 0.33.5 allows local users to gain privileges via a Trojan horse Node.js module in a parent directory of a directory named on a require line...

GHSA-GVCJ-PFQ2-WXJ7 High severity vulnerability that affects electron

Untrusted search path vulnerability in Atom Electron before 0.33.5 allows local users to gain privileges via a Trojan horse Node.js module in a parent directory of a directory named on a require line...

Moderate: Red Hat Security Advisory: rh-nodejs6-nodejs-tough-cookie security update

An update for rh-nodejs6-nodejs-tough-cookie is now available for Red Hat Software Collections. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System CVSS base score, which gives a detailed severity rating, is available for...

Moderate: Red Hat Security Advisory: rh-nodejs4-nodejs-tough-cookie security update

An update for rh-nodejs4-nodejs-tough-cookie is now available for Red Hat Software Collections. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System CVSS base score, which gives a detailed severity rating, is available for...

CVE-2016-1202

Untrusted search path vulnerability in Atom Electron before 0.33.5 allows local users to gain privileges via a Trojan horse Node.js module in a parent directory of a directory named on a require line...

Design/Logic Flaw

Untrusted search path vulnerability in Atom Electron before 0.33.5 allows local users to gain privileges via a Trojan horse Node.js module in a parent directory of a directory named on a require line...

CVE-2016-1202

CVE-2016-1202 affects Electron up to version before 0.33.5, where untrusted search path logic allows local attackers to escalate privileges by placing a malicious Node.js module in a parent directory of a require path. Core issue: Electron does not restrict the search path for loading Node module...

CVE-2016-1202

Untrusted search path vulnerability in Atom Electron before 0.33.5 allows local users to gain privileges via a Trojan horse Node.js module in a parent directory of a directory named on a require line...

Deserialization Code Execution

Overview Versions 2.0.4 and earlier of js-yaml are affected by a code execution vulnerability in the YAML deserializer. Proof of Concept const yaml = require'js-yaml'; const x = test: !!js/function function f console.log1; ; yaml.loadx; Recommendation Update js-yaml to version 2.0.5 or later, and...