CVE-2019-15605

HTTP request smuggling in Node.js 10, 12, and 13 causes malicious payload delivery when transfer-encoding is malformed...

CVE-2019-14939

An issue was discovered in the mysql aka mysqljs module 2.17.1 for Node.js. The LOAD DATA LOCAL INFILE option is open by default...

CVE-2019-14939

An issue was discovered in the mysql aka mysqljs module 2.17.1 for Node.js. The LOAD DATA LOCAL INFILE option is open by default...

Path Traversal

Overview Versions of http-live-simulator prior to 1.0.7 are vulnerable to Path Traversal. Due to insufficient input sanitization, attackers can access server files by using relative paths. For example: curl --path-as-is http://localhost:8080//../../../../etc/passwd. Recommendation Upgrade to...

Prototype Pollution

Overview Version of cached-path-relative before 1.0.2 are vulnerable to prototype pollution. Recommendation Update to version 1.0.2 or later. References - HackerOne Report - GitHub Issue - Node.js Security-wg - GitHub Advisory...

NoSQL injection

Overview Versions of express-cart before 1.1.8 are vulnerable to NoSQL injection. The vulnerability is caused by the lack of user input sanitization in the login handlers. In both cases, the customer login and the admin login, parameters from the JSON body are sent directly into the MongoDB query...

CVE-2018-7166

In all versions of Node.js 10 prior to 10.9.0, an argument processing flaw can cause Buffer.alloc to return uninitialized memory. This method is intended to be safe and only return initialized, or cleared, memory. The third argument specifying encoding can be passed as a number, this is...

Input validation

atob 2.0.3 and earlier allocates uninitialized Buffers when number is passed in input on Node.js 4.x and below...

Node.js third-party modules: Arbitrary file overwrites in `node-tar`

Background I was looking for vulnerabilities in a different tar library, tar-fs, and discovered a bug that allowed me to overwrite arbitrary files on the host system using its default extraction method. After reporting the bug to the maintainer of tar-fs, Mathias Buus, he realized that node-tar w...

CVE-2018-7651

index.js in the ssri module before 5.2.2 for Node.js is prone to a regular expression denial of service vulnerability in strict mode functionality via a long base64 hash string...

Node.js third-party modules: `http-proxy-agent` passes unsanitized options to Buffer(arg), resulting in DoS and uninitialized memory leak

I would like to report a Buffer allocation vulnerability in http-proxy-agent. In setups where auth argument is user-controlled, it allows to: cause Denial of Service by trivially consuming all the available CPU resources extract uninitialized memory chunks from the server on Node.js This module...

Node.js third-party modules: [m-server] Path Traversal allows to display content of arbitrary file(s) from the server

I would like to report Path Traversal in m-server module. It allows to read content of any arbitrary file from the server where m-server is installed and run. Module module name: m-server version: 1.4.0 npm page: https://www.npmjs.com/package/m-server Module Description M-Server is a mini http...

node -- access to unintended files

node developers report: Node.js 8.5.0 before 8.6.0 allows remote attackers to access unintended files, because a change to ".." handling was incompatible with the pathname validation used by unspecified community modules...

Regular Expression Denial of Service

Overview Affected versions of parsejson are vulnerable to a regular expression denial of service when parsing untrusted user input. Recommendation The parsejson package has not been functionally updated since it was initially released. Additionally, it provides functionality which is natively...

CVE-2015-8856

Cross-site scripting XSS vulnerability in the serve-index package before 1.6.3 for Node.js allows remote attackers to inject arbitrary web script or HTML via a crafted file or directory name...

CVE-2015-8861

The handlebars package before 4.0.0 for Node.js allows remote attackers to conduct cross-site scripting XSS attacks by leveraging a template with an attribute that is not quoted...