Simple bug could lead to RCE flaw on apps built with Electron Framework

A critical remote code execution vulnerability has been discovered in the popular Electron web application framework that could allow attackers to execute malicious code on victims' computers. Electron is an open source app development framework that powers thousands of widely-used desktop...

Node.js Foundation Node.js zlib windowBits Denial of Service (CVE-2017-14919)

A denial of service vulnerability exists in Node.js. The vulnerability is due to a newer version of zlib that does not permit a value of 8 for windowBits, and crashes or throws an exception when passed said value...

Node.js third-party modules: Insecure implementation of deserialization in funcster

I would like to report code injection in serialization package funcster. It allows execute arbitrary code during deserialization of JSON. Module module name: funcster version: 0.0.3 npm page: https://www.npmjs.com/package/funcster Module Description This library contains utilities for serializing...

Denial Of Service (DoS)

node is vulnerable to regular expression denial of service ReDoS attacks. The vulnerability exists in the path module of Node.js 4.x releases that contains a bad regex defined in splitPathRe that causes ReDoS attacks when parsing malicious paths...

PT-2018-17921 · Node.Js +3 · Node.Js +3

Name of the Vulnerable Software and Affected Versions: Node.js versions 6.x and later Description: The issue allows for a DNS rebinding attack, potentially leading to remote code execution. This can be exploited by malicious websites open in a web browser on the same computer or another computer...

Node.js third-party modules: Remote code executio in NPM package getcookies

NOTE! Thanks for submitting a report! Please replace all the square sections below with the pertinent details. Remember, the more detail you provide, the easier it is for us to triage and respond quickly, so be sure to take your time filling out the report! I would like to report remote code...

Yamot - Yet Another MOnitoring Tool

yamot is a web-based server-monitoring tool built for small environments with just a handful servers. It takes a minimum of resources which allows the execution on almost every machine, also very old ones. It works best with Linux or BSD. Windows is not part of the server scope. You could use it...

Node.js third-party modules: Arbitrary file overwrites in `node-tar`

Background I was looking for vulnerabilities in a different tar library, tar-fs, and discovered a bug that allowed me to overwrite arbitrary files on the host system using its default extraction method. After reporting the bug to the maintainer of tar-fs, Mathias Buus, he realized that node-tar w...

Node.js third-party modules: The react-marked-markdown module allows XSS injection in href values.

NOTE! Thanks for submitting a report! Please replace all the square sections below with the pertinent details. Remember, the more detail you provide, the easier it is for us to triage and respond quickly, so be sure to take your time filling out the report! I would like to report XSS in...

Node.js third-party modules: Unrestricted file upload (RCE)

I would like to report an unrestricted file upload in express-cart. It allows a user with administrative privileges to upload a file to any path. Module module name: express-cart version: 1.1.5 npm page: https://www.npmjs.com/package/express-cart Module Description expressCart is a fully function...

Node.js third-party modules: Privilege escalation allows any user to add an administrator

I would like to report privilege escalation in the npm module express-cart. It allows a normal user to add another user with administrator privileges. Module module name: express-cart version: 1.1.5 npm page: https://www.npmjs.com/package/express-cart Module Description expressCart is a fully...

Remote Memory Exposure

Overview Versions of mysql before 2.14.0 are vulnerable to remove memory exposure. Affected versions of mysql package allocate and send an uninitialized memory over the network when a number is provided as a password. Only mysql running on Node.js versions below 6.0.0 is affected due to a throw...

Node.js third-party modules: [bruteser] Path Traversal allows to read content of arbitrary file

I would like to report Path Traversal in bruteser module. It allows to read content of any arbitrary file from the server where bruteser is installed and run. Module module name: bruteser version: 0.0.2 npm page: https://www.npmjs.com/package/bruteser Module Description BruteSer - server can be...

Node.js third-party modules: [entitlements] Command injection on the 'path' parameter

Hello again, another command injection, this time on the entitlements module. Module module name: entitlements version: 1.2.0 npm page: https://www.npmjs.com/package/entitlements Module Description check the entitlements of a .app bundle Module Stats 26 downloads in the last day 328 downloads in...

Node.js third-party modules: [git-dummy-commit] Command injection on the msg parameter

Hi there, I've found a Command Injection on the "git-dummy-commit" module. Module module name: git-dummy-commit version: 1.3.0 npm page: https://www.npmjs.com/package/git-dummy-commit Module Description Create a dummy commit for testing Module Stats 62 downloads in the last day 94 downloads in th...

Code Execution by Re-enabling Node.js integration

Overview A vulnerability has been discovered which allows Node.js integration to be re-enabled in some Electron applications that disable it. For the application to be impacted by this vulnerability it must meet all of these conditions - Runs on Electron 1.7, 1.8, or a 2.0.0-beta - Allows executi...

Node.js third-party modules: [cloudcmd] Stored XSS in the filename when directories listing

I would like to report a Stored XSS issue in module cloudcmd It allows executing malicious javascript code in the user's browser. Module module name: cloudcmd version: 9.1.5 npm page: https://www.npmjs.com/package/cloudcmd Module Description Cloud Commander is an orthodox web file manager with...

Node.js: registry.nodejs.org Subdomain Takeover

I recently found an abandoned and/or overlooked nodejs.org subdomain that was indirectly pointing to Fastly. Fastly doesn't require any proof of DNS ownership to register new distributions that use a given domain, so I was able to effectively take it over. Vulnerability: Subdomain Takeover via...

Node.js third-party modules: Command injection in 'pdf-image'

I would like to report command injection in pdf-image It allows executing commands on the server Module module name: pdf-image version: 1.0.5 npm page: https://www.npmjs.com/package/pdf-image Module Description Provides an interface to convert PDF's pages to png files in Node.js by using...

Node.js: Use After Free in crypto.randomFill

Summary: We can trigger Use-After-Free while running crypto.randomFill, so we can easily read/write heap memory using a typed array pointing a freed backing store. Description: See this nodecrypto.cc code. pp void RandomBytesBufferconst FunctionCallbackInfo& args ... char data = Buffer::Dataargs0...