107 matches found
Node.js third-party modules: Command Injection vulnerability in kill-port-process package
I would like to report a command injection vulnerability in the kill-port-process package. It allows an attacker to inject arbitrary commands. Module module name: kill-port-process version: 1.1.0 npm page: https://www.npmjs.com/package/kill-port-process Module Stats 0 downloads in the last day 13...
Node.js third-party modules: Command Injection due to lack of sanitisation of tar.gz filename passed as an argument to pm2.install() function
Hi Guys, It's been a while : I would like to report Command Injection in pm2.import function when tar.gz archive is installed with a name provided as user controlled input. Due to lack of proper validation of tar.gz archive filename, this vulnerability allows to inject arbitrary commands and...
Node.js third-party modules: Application level denial of service due to shutting down the server
Module module name: http-live-simulator version: 1.0.7 npm page: https://www.npmjs.com/package/http-live-simulator Description I've found a way to crash the server due to the way it parses URL Steps To Reproduce: 1- Install the module : npm install -g http-live-simulator 2- Run the server :...
Node.js third-party modules: [url-parse] Improper Validation and Sanitization
NOTE! Thanks for submitting a report! Please replace all the square sections below with the pertinent details. Remember, the more detail you provide, the easier it is for us to triage and respond quickly, so be sure to take your time filling out the report! I would like to report Improper...
Node.js third-party modules: [http-live-simulator] Path traversal vulnerability
Module module name: http-live-simulator version: 1.0.6 npm page: https://www.npmjs.com/package/http-live-simulator Description this vulnerability is a bypass for the one found in this report in version 1.0.5 Steps To Reproduce: 1- Install the module : npm install -g http-live-simulator 2- Run the...
Node.js third-party modules: Code Injection Vulnerability in dot Package
I would like to report a code injection vulnerability in dot. It allows attackers to execute arbitrary JS code, especially when combined with a prototype pollution attack. Module module name: dot version: 1.1.2 npm page: https://www.npmjs.com/package/dot Module Description Created in search of th...
Node.js third-party modules: Prototype pollution attack (defaults-deep / constructor.prototype)
I would like to report a prototype pollution vulnerability in defaults-deep. It allows an attacker to inject properties on Object.prototype. Module module name: defaults-deep version: 0.2.4 npm page: https://www.npmjs.com/package/defaults-deep Module Description Like extend but recursively copies...
Node.js third-party modules: [serve] Server Directory Traversal
I would like to report a Server Directory Traversal vulnerability in serve. It allows reading local files on the target server. Module module name: serve version: 7.0.1 npm page: https://www.npmjs.com/package/serve Module Description Assuming you would like to serve a static site, single page...
Node.js third-party modules: [buttle] Path traversal in mid-buttle module allows to read any file in the server.
Hello Node.js third-party modules I would like to report path traversal in buttle module It allows me to read any file in the server if i know the path. Module module name: buttle version: 0.2.0 npm page: https://www.npmjs.com/package/buttle Module Description Simple static file + markdown server...
Node.js third-party modules: [servey] Path Traversal allows to retrieve content of any file with extension from remote server
Hi Team, I would like to report a partial Path Traversal in servey module. It allows to read content of any arbitrary file with extension from the server. Module module name: servey version: 2.2.0 npm page: https://www.npmjs.com/package/servey Module Description A static & single page application...
Node.js third-party modules: [localhost-now] bypassing url filter which leads to read content of arbitrary file
Hi guys, i can bypass url filter in localhost-now module. It allows to read content of arbitrary files on the remote server. Module module name: localhost-now version: 1.0.2 npm page: https://www.npmjs.com/package/localhost-now Module Stats 26 downloads in the last week Vulnerability Description...
Node.js third-party modules: npm packages that overlap with core node packages
Hi, I have posted here, but I wanted to make you aware of this easy social engineering trick. I do not want to claim any of these are currently malicious, but it they easily could be. Thanks, Marc Impact The attacker could do anything...use the postinstall as the user, work the same as steal data...
Node.js third-party modules: [buttle] HTML Injection in filename leads to XSS when directory listing is displayed in the browser
I would like to report HTML Injection in buttle module. Due to lack of filenames sanitization, it is possible to inject malicious iframe tag via filename and execute arbitray JavaScript code. Module module name: buttle version: 0.2.0 npm page: https://www.npmjs.com/package/buttle Module Descripti...
Node.js third-party modules: `concat-with-sourcemaps` allocates uninitialized Buffers when number is passed as a separator
I would like to report an uninitialized Buffer allocation issue in concat-with-sourcemaps. It allows to extract sensitive data from uninitialized memory or to cause a DoS by passing in a large number, in unlikely setups where separator is attacker-controlled. Module module name:...
Node.js third-party modules: [m-server] Path Traversal allows to display content of arbitrary file(s) from the server
I would like to report Path Traversal in m-server module. It allows to read content of any arbitrary file from the server where m-server is installed and run. Module module name: m-server version: 1.4.0 npm page: https://www.npmjs.com/package/m-server Module Description M-Server is a mini http...
Node.js third-party modules: [public] Stored XSS in filenames in directory served by public
Hi Guys, public allows to embed HTML in file names, which in certain conditions might lead to execute malicious JavaScript. I put https://www.npmjs.com/package/public in Weakness section - 'Where is the stored content accessible?' because it does not allowed me to open report with...
Node.js third-party modules: Prototype pollution attack (deep-extend)
As discussed in 309391, here's the separate report for each of the library. This one is the information for the deep-extend library. Module: deep-extend Summary: Utilities function in all the listed modules can be tricked into modifying the prototype of "Object" when the attacker control part of...
Node.js third-party modules: [crud-file-server] Stored XSS in filenames when directory index is served by crud-file-server
Hi Guys, crud-file-server allows to embed HTML in file names, which in certain conditions might lead to execute malicious JavaScript. Module crud-file-server This package exposes a directory and its children to create, read, update, and delete operations over http...
Node.js third-party modules: Prototype pollution attack (assign-deep)
As discussed in 309391, here's the separate report for each of the library. This one is the information for the assign-deep library. Module: assign-deep Summary: Utilities function in all the listed modules can be tricked into modifying the prototype of "Object" when the attacker control part of...
Node.js third-party modules: Prototype pollution attack (merge-objects)
As discussed in 309391, here's the separate report for each of the library. This one is the information for the merge-objects library. Module: merge-object Summary: Utilities function in all the listed modules can be tricked into modifying the prototype of "Object" when the attacker control part ...