Node.js third-party modules: `macaddress` concatenates unsanitized input into exec() command

NOTE! Thanks for submitting a report! Please replace all the square sections below with the pertinent details. Remember, the more detail you provide, the easier it is for us to triage and respond quickly, so be sure to take your time filling out the report! I would like to report code injection i...

Node.js third-party modules: `sql` does not properly escape parameters when building SQL queries, resulting in potential SQLi

I would like to report an SQLi in sql. It allows to insert potentially user-controlled content into the queries without proper escaping, in cases where that is not verified additionally in the applications that are using sql library. Module module name: sql version: 0.78.0 npm page:...

Node.js third-party modules: typeorm does not properly escape parameters when building SQL queries, resulting in potential SQLi

I would like to report an SQLi in typeorm. It allows to insert potentially user-controlled content into the queries without proper escaping, in cases where that is not verified additionally in the applications that are using typeorm library. Module module name: typeorm version: 0.1.12 npm page:...

Node.js third-party modules: [stattic] Inproper path validation leads to Path Traversal and allows to read arbitrary files with any extension(s)

I would like to report Path Traversal in stattic module. It allows to read content of some arbitrary files from the server where stattic is installed and run. Module module name: stattic version: 0.2.3 npm page: https://www.npmjs.com/package/stattic Module Description Ridiculous simple script for...

Node.js third-party modules: Regular Expression Denial of Service (ReDoS)

The issue was already fixed. Module: is-my-json-valid Summary: Affected versions of this package are vulnerable to Regular Expression Denial of Service ReDoS attacks. It used a regular expression /^\S+@\S+$/ in order to validate emails. This can cause an impact of about 10 seconds matching time f...

Node.js third-party modules: [bracket-template] Reflected XSS possible when variable passed via GET parameter is used in template

Hi Guys, I would like to report Reflected XSS in bracket-template module. It allows to inject arbitrary JavaScript tag and malicious code to execute when variables read from GET are used directly in template without sanitization. Module module name: bracket-template version: 1.1.5 npm page:...

Node.js third-party modules: [public] Stored XSS in filenames in directory served by public

Hi Guys, public allows to embed HTML in file names, which in certain conditions might lead to execute malicious JavaScript. I put https://www.npmjs.com/package/public in Weakness section - 'Where is the stored content accessible?' because it does not allowed me to open report with...

Node.js third-party modules: Remote Command Execution vulnerability in pullit

I would like to report Remote Command Execution vulnerability in pullit It allows remote command execution such as reading or writing to the file system, and executing other programs under the current user running the pullit node executable. Module pullit https://www.npmjs.com/package/pullit...

Node.js third-party modules: Path Traversal on Resolve-Path

The author of resolve-path told me that I can submit this to here. The vulnerability already reported to the author and got a fixed! Module module name: resolve-path version: 1.3.3 npm page: https://www.npmjs.com/package/resolve-path Description Resolve a relative path against a root path with...

Node.js third-party modules: Media parsing in canvas is at least vulnerable to Denial of Service through multiple vulnerabilities

There is at least a DoS vulnerability in canvas. It segfaults node.js which leads to a Denial of Service, but according to !exploitable it could possibly be worse Module canvas node-canvas is a Cairo backed Canvas implementation for NodeJS. https://www.npmjs.com/package/canvas version: 1.6.9 Stat...

Node.js third-party modules: [public] Path Traversal allows to read content of arbitrary files

Hi Guys, There is Path Traversal in public module. It allows to read content of arbitrary files on the remote server. Module public Run static file hosting server with specified public dir & port. Support a "direcotry index" like Apache httpd. https://www.npmjs.com/package/public version: 0.1.2...

Node.js third-party modules: [mcstatic] Path Traversal allows to read content of arbitrary files

Hi Guys, There is Path Traversal in mcstatic module. It allows to read content of arbitrary files on the remote server. Module mcstatic This is a general file server made by nodejs. It will be easy for you to access the files on the server through the browser. https://www.npmjs.com/package/mcstat...

Node.js third-party modules: [localhost-now] Path Traversal allows to read content of arbitrary file

Hi Guys, There is Path Traversal in localhost-now module. It allows to read content of arbitrary files on the remote server. Module localhost-now This is a general file server made by nodejs. It will be easy for you to access the files on the server through the browser...

Node.js third-party modules: [uppy] Stored XSS due to crafted SVG file

NOTE! Thanks for submitting a report! Please replace all the square sections below with the pertinent details. Remember, the more detail you provide, the easier it is for us to triage and respond quickly, so be sure to take your time filling out the report! Module: Uppy. Affected version: 0.22.2...

Node.js third-party modules: Prototype pollution attack (merge-recursive)

As discussed in 309391, here's the separate report for each of the library. This one is the information for the merge-recursive library. Module: merge-recursive Summary: Utilities function in all the listed modules can be tricked into modifying the prototype of "Object" when the attacker control...

Node.js third-party modules: Prototype pollution attack (deep-extend)

As discussed in 309391, here's the separate report for each of the library. This one is the information for the deep-extend library. Module: deep-extend Summary: Utilities function in all the listed modules can be tricked into modifying the prototype of "Object" when the attacker control part of...

Node.js third-party modules: Prototype pollution attack (mixin-deep)

As discussed in 309391, here's the separate report for each of the library. This one is the information for the mixin-deep library. Module: mixin-deep Summary: Utilities function in all the listed modules can be tricked into modify the prototype of "Object" when the attacker control part of the...

Node.js third-party modules: [hekto] Path Traversal vulnerability allows to read content of arbitrary files

Hi Guys, There is Path Traversal vulnerability in hekto module, which allows to read arbitrary file from the remote server. Module hekto This package exposes a directory and its children to create, read, update, and delete operations over http. https://www.npmjs.com/package/hekto version: 0.2.0...

Node.js third-party modules: [626] Path Traversal allows to read arbitrary file from remote server

Hi Guys, There is Path Traversal vulnerability in 626 module, which allows to read arbitrary file from the remote server. Module 626 This package exposes a directory and its children to create, read, update, and delete operations over http. https://www.npmjs.com/package/626 version: 1.1.1 Stats 0...

Node.js third-party modules: [crud-file-server] Stored XSS in filenames when directory index is served by crud-file-server

Hi Guys, crud-file-server allows to embed HTML in file names, which in certain conditions might lead to execute malicious JavaScript. Module crud-file-server This package exposes a directory and its children to create, read, update, and delete operations over http...