npm fails to restrict the actions of malicious npm packages

Overview npm allows packages to take actions that could result in a malicious npm package author to create a worm that spreads across the majority of the npm ecosystem. Description npm is the default package manager for Node.js, which is a runtime environment for developing server-side web...

Jsprime - A JavaScript Static Security Analysis Tool

Today, more and more developers are switching to JavaScript as their first choice of language. The reason is simple JavaScript has now been started to be accepted as the mainstream programming for applications, be it on the web or on the mobile; be it on client-side, be it on the server side...

Kibana 4.4.2, 4.3.3, 4.1.6 - Updated node.js versions due to upstream vulnerabilities

Same deal as last month, but we've bumped all 3 version to node v4.3.2 to cover security issues in node.js. You can read their maintenance announcement here: https://nodejs.org/en/blog/release/v4.3.2/ Check out the blog post with release notes or grab the latest version...

Malware-Jail - Sandbox for semi-automatic Javascript malware analysis and payload extraction

Sandbox for semi-automatic Javascript malware analysis and payload extraction. Written for Node.js malware-jail is written for Node's 'vm' sandbox . Currently implements WScript Windows Scripting Host context env/wscript.js , at least the part frequently used by malware. Internet browser context ...

OpenSSL updates, 1.0.2g and 1.0.1s

OpenSSL updates, 1.0.2g and 1.0.1s Updates to this post, including a schedule change are included below The OpenSSL project has announced that they will be releasing versions 1.0.2g and 1.0.1s this week, on Tuesday the 1st of March, UTC. The releases will fix "several defects" that are labelled a...

Node.js HTTP Request Smuggling Vulnerability

Joyent Node.js is the United States Joyent company's set of web applications built on top of the Google V8 JavaScript engine platform. The platform is primarily used for building highly scalable applications and writing code that can handle tens of thousands of simultaneous connections to a singl...

CVE-2016-2537

The is-my-json-valid package before 2.12.4 for Node.js has an incorrect exports'utc-millisec' regular expression, which allows remote attackers to cause a denial of service blocked event loop via a crafted string...

CVE-2016-2537

The is-my-json-valid package before 2.12.4 for Node.js has an incorrect exports'utc-millisec' regular expression, which allows remote attackers to cause a denial of service blocked event loop via a crafted string...

Design/Logic Flaw

The is-my-json-valid package before 2.12.4 for Node.js has an incorrect exports'utc-millisec' regular expression, which allows remote attackers to cause a denial of service blocked event loop via a crafted string...

CVE-2016-2537

The is-my-json-valid package before 2.12.4 for Node.js has an incorrect exports'utc-millisec' regular expression, which allows remote attackers to cause a denial of service blocked event loop via a crafted string...

CVE-2016-2537

CVE-2016-2537 affects the is-my-json-valid package for Node.js, where an incorrect exports["utc-millisec"] regular expression can be exploited to cause a denial-of-service by blocking the event loop. The core detail across documents is that the vulnerability arises in the is-my-json-valid module ...

[SECURITY] Fedora 22 Update: nodejs-0.10.42-4.fc22

Node.js is a platform built on Chrome's JavaScript runtime for easily building fast, scalable network applications. Node.js uses an event-driven, non-blocking I/O model that makes it lightweight and efficient, perfect for data-intensive real-time applications that run across distributed devices...

Mageia: Security Advisory (MGASA-2016-0080)

The remote host is missing an update for the SPDX-FileCopyrightText: 2016 Greenbone AG Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders. SPDX-License-Identifier: GPL-2.0-only ifdescription...

Updated nodejs packages fix security vulnerability

A request smuggling vulnerability was found in Node.js that can be exploited under certain unspecified circumstances CVE-2016-2086. It was reported that HTTP header parsing in Node.js is vulnerable to response splitting attacks. While Node.js has been protecting against response splitting attacks...

MGASA-2016-0080 Updated nodejs packages fix security vulnerability

A request smuggling vulnerability was found in Node.js that can be exploited under certain unspecified circumstances CVE-2016-2086. It was reported that HTTP header parsing in Node.js is vulnerable to response splitting attacks. While Node.js has been protecting against response splitting attacks...

Nodejs - Access bypass - Moderately Critical -- DRUPAL-SA-CONTRIB-2016-007

This module provides an API that other modules can use to add realtime capabilities to Drupal, specifically enabling pushing updates to open connected clients. The module doesn't disconnect unauthenticated sockets, allowing those sockets to receive broadcast messages. For sites that only serve...

[SECURITY] Fedora 23 Update: nodejs-0.10.42-4.fc23

Node.js is a platform built on Chrome's JavaScript runtime for easily building fast, scalable network applications. Node.js uses an event-driven, non-blocking I/O model that makes it lightweight and efficient, perfect for data-intensive real-time applications that run across distributed devices...

February 2016 Security Release Summary

February 2016 Security Release Summary Two weeks ago we announced the planned release of updates to all active release lines, v0.10, v0.12, v4 and v5, to fix HTTP related vulnerabilities and to upgrade the bundled versions of OpenSSL. Upon release of the OpenSSL updates we posted an impact...

OpenSSL upgrade low-severity Node.js security fixes

OpenSSL upgrade low-severity Node.js security fixes Updates to this post, including a schedule change are included below Summary The Node.js project will be releasing new versions across all of its active release lines early next week possibly sooner, pending full impact assessment to incorporate...

openSUSE Security Update : nodejs (openSUSE-2016-46)

This update contains nodejs 4.2.4 and fixes the following issues : - CVE-2015-6764: unspecified out-of-bounds access vulnerability boo956902 - CVE-2015-8027: unspecified denial of service vulnerability boo956901 The following non-security bugs were fixed : - boo948045: Nodejs 4.0 rpm does not...