Type confusion

Overview In mpath before 0.8.4 a type confusion vulnerability can lead to a bypass of CVE-2018-16490. In particular, the condition ignoreProperties.indexOfpartsi !== -1 returns -1 if partsi is 'proto'. This is because the method that has been called if the input is an array is...

Code Injection

Overview In pac-resolver before 5.0.0 code-injection can occur when used with untrusted input, due to unsafe PAC file handling. Recommendation Upgrade to version 5.0.0 or later References - CVE - GitHub Advisory - Article...

UNIX Symbolic Link (Symlink) Following

Overview Impact Arbitrary File Creation, Arbitrary File Overwrite, Arbitrary Code Execution @npmcli/arborist, the library that calculates dependency trees and manages the nodemodules folder hierarchy for the npm command line interface, aims to guarantee that package dependency contracts will be...

UNIX Symbolic Link (Symlink) Following

Overview Impact Arbitrary File Creation, Arbitrary File Overwrite, Arbitrary Code Execution @npmcli/arborist, the library that calculates dependency trees and manages the nodemodules folder hierarchy for the npm command line interface, aims to guarantee that package dependency contracts will be...

Arbitrary File Creation/Overwrite on Windows via insufficient relative path sanitization

Overview Impact Arbitrary File Creation, Arbitrary File Overwrite, Arbitrary Code Execution node-tar aims to guarantee that any file whose location would be outside of the extraction target directory is not extracted. This is, in part, accomplished by sanitizing absolute paths of entries within t...

Arbitrary File Creation/Overwrite via insufficient symlink protection due to directory cache poisoning using symbolic links

Overview Impact Arbitrary File Creation, Arbitrary File Overwrite, Arbitrary Code Execution node-tar aims to guarantee that any file whose location would be modified by a symbolic link is not extracted. This is, in part, achieved by ensuring that extracted directories are not symlinks...

Arbitrary File Creation/Overwrite via insufficient symlink protection due to directory cache poisoning using symbolic links

Overview Impact Arbitrary File Creation, Arbitrary File Overwrite, Arbitrary Code Execution node-tar aims to guarantee that any file whose location would be modified by a symbolic link is not extracted. This is, in part, achieved by ensuring that extracted directories are not symlinks...

Open Redirect in Next.js

Overview In next aka Next.js before version 11.1.0 there is an Open Redirect vulnerability. Impact - Affected: Users of Next.js between 10.0.5 and 10.2.0 - Affected: Users of Next.js between 11.0.0 and 11.0.1 using pages/error.js without getInitialProps - Affected: Users of Next.js between 11.0.0...

Cross-Site Scripting (XSS)

Overview In affected versions of video.js, the src attribute of track tag allows to bypass HTML escaping and execute arbitrary code. Recommendation Upgrade to version 7.14.3 or later References - CVE - GitHub Advisory...

Open Redirect

Overview Overview Affected versions of npm url-parse are vulnerable to URL Redirection to Untrusted Site. Impact Depending on library usage and attacker intent, impacts may include allow/block list bypasses, SSRF attacks, open redirects, or other undesired behavior. Recommendation Upgrade to...

Prototype Pollution

Overview Affected versions of jszip have a prototype pollution vulnerability. Crafting a new zip file with filenames set to Object prototype values e.g proto, toString, etc results in a returned object with a modified prototype instance. Recommendation Upgrade to version 3.7.0 or later References...

Regular Expression Denial of Service in path-parse

Overview Affected versions of path-parse are vulnerable to Regular Expression Denial of Service ReDoS via splitDeviceRe, splitTailRe, and splitPathRe regular expressions. ReDoS exhibits polynomial worst-case time complexity. Recommendation Upgrade to version 1.0.7 or later References - CVE - GitH...

Arbitrary Command Injection due to Improper Command Sanitization

Overview Summary There exists a command injection vulnerability in @npmcli/git versions 2.0.8 which may result in arbitrary shell command execution due to improper argument sanitization when npmcli/git is used to execute Git commands based on user controlled input. The impact of this issue is...

Arbitrary File Creation/Overwrite via insufficient symlink protection due to directory cache poisoning

Overview The tar package has a high severity vulnerability before versions 3.2.3, 4.4.15, 5.0.7, and 6.1.2. Impact Arbitrary File Creation, Arbitrary File Overwrite, Arbitrary Code Execution node-tar aims to prevent extraction of absolute file paths by turning absolute paths into relative paths...

Arbitrary File Creation/Overwrite due to insufficient absolute path sanitization

Overview The tar package has a high severity vulnerability before versions 3.2.2, 4.4.14, 5.0.6, and 6.1.1. Impact Arbitrary File Creation, Arbitrary File Overwrite, Arbitrary Code Execution node-tar aims to prevent extraction of absolute file paths by turning absolute paths into relative paths...

Misinterpretation of malicious XML input

Overview Impact xmldom versions 0.6.0 and older do not correctly escape special characters when serializing elements removed from their ancestor. This may lead to unexpected syntactic changes during XML processing in some downstream applications. Patches Update to 0.7.0 see issue 271 for the stat...

Improperly Controlled Modification of Object Prototype Attributes

Overview think-logic before version 1.1.3 has a prototype pollution vulnerability. Impact The software receives input from an upstream component that specifies attributes that are to be initialized or updated in an object, but it does not properly control modifications of attributes of the object...

Denial of Service

Overview SheetJS Pro through 0.16.9 allows attackers to cause a denial of service CPU consumption via a crafted .xlsx document that is mishandled when read by xlsx.js. Recommendation Upgrade to version 0.17.0 or later References - GitHub Advisory - CVE...

Hostname spoofing via backslashes in URL

Overview Impact If using affected versions to determine a URL's hostname, the hostname can be spoofed by using a combination of backslash \ and slash / characters as part of the scheme delimiter, e.g. scheme:///\hostname. If the hostname is used in security decisions, the decision may be...

Sensitive Data Exposure

Overview The gatsby-source-wordpress plugin prior to versions 4.0.8 and 5.9.2 leaks .htaccess HTTP Basic Authentication variables into the app.js bundle during build-time. Users who are not initializing basic authentication credentials in the gatsby-config.js are not affected. Example affected...

Improper Authentication

Overview The Utils.readChallengeTx function used in SEP-10 Stellar Web Authentication states in its function documentation that it reads and validates the challenge transaction including verifying that the serverAccountID has signed the transaction. The function does not verify that the server ha...

Resource exhaustion in socket.io-parser

Overview The socket.io-parser npm package before versions 3.3.2 and 3.4.1 allows attackers to cause a denial of service memory consumption via a large packet because a concatenation approach is used. Recommendation Upgrade to versions 3.3.2, 3.4.1 or later References - CVE - GitHub Advisory...

Regular Expression Denial of Service

Overview In prismjs before 1.24.0 some languages are vulnerable to Regular Expression Denial of Service ReDoS. Impact When Prism is used to highlight untrusted user-given text, an attacker can craft a string that will take a very very long time to highlight. Do not use the following languages to...

Cross-site scripting

Overview Two kinds of XSS were found in affected versions of mongo-express. 1. As mentioned in https://github.com/mongo-express/mongo-express/issues/577 when the content of a cell grows larger than supported size, clicking on a row will show full document unescaped, however this needs admin...

Reflected XSS from the callback handler's error query parameter

Overview Overview @auth0/nextjs-auth0 versions before and including 1.4.1 are vulnerable to reflected XSS. An attacker can execute arbitrary code by providing an XSS payload in the error query parameter which is then processed by the callback handler as an error message. Am I affected? You are...

Prototype Pollution

Overview Prototype pollution vulnerability in ‘set-getter’ version 0.1.0 allows an attacker to cause a denial of service and may lead to remote code execution. Recommendation Upgrade to version 0.1.1 or later References - CVE - GitHub Advisory...

Sanitization Bypass

Overview A type-confusion vulnerability can cause striptags to concatenate unsanitized strings when an array-like object is passed in as the html parameter. This can be abused by an attacker who can control the shape of their input, e.g. if query parameters are passed directly into the function...

Uncontrolled Resource Consumption in locutus

Overview locutus before 2.0.15 are vulnerable to Regular Expression Denial of Service ReDoS via the gopherparsedir function. Recommendation Upgrade to version 2.0.15 or later References - CVE - GitHub Advisory...

Prototype Pollution

Overview Prototype pollution vulnerability in 'js-extend' versions 0.0.1 through 1.0.1 allows attacker to cause a denial of service and may lead to remote code execution. Recommendation Avoid using js-extend as there is no current safe version of this module References - CVE - GitHub Advisory...

Regular Expression Denial of Service

Overview normalize-url package before 4.5.1, 5.x before 5.3.1, and 6.x before 6.0.1 has a ReDoS regular expression denial of service issue because it has exponential performance for data: URLs. Recommendation Upgrade to versions 4.5.1, 5.3.1, 6.0.1 or later References - CVE - GitHub Advisory...

Denial of Service

Overview css-what from version 4.0.0 and before version 5.0.1 does not ensure that attribute parsing has Linear Time Complexity relative to the size of the input. Recommendation Upgrade to version 5.0.1 or later References - CVE - GitHub Advisory...

Regular Expression Denial of Service

Overview trim-newlines before 3.0.1 and 4.x before 4.0.1 for Node.js has an issue related to regular expression denial-of-service ReDoS for the .end method. Recommendation Upgrade to versions 3.0.1 or 4.0.1 or later References - CVE - GitHub Advisory...

Prototype Pollution

Overview merge-deep before 3.0.3 can be tricked into overwriting properties of Object.prototype or adding new properties to it. These properties are then inherited by every object in the program, thus facilitating prototype-pollution attacks against applications using this library. Recommendation...

Regular expression denial of service

Overview glob-parent before 5.1.2 has a regular expression denial of service vulnerability. The enclosure regex used to check for strings ending in enclosure containing path separator. Recommendation Upgrade to version 5.1.2 or later References - CVE - GitHub Advisory...

Reflected Cross-Site Scripting

Overview There is an XSS vulnerability in affected versions of auth0-lock. Overview Versions before and including 11.30.0 are vulnerable to reflected XSS. An attacker can execute arbitrary code when the library's - flashMessage feature is utilized and user input or data from URL parameters is...

Cross-Site Scripting

Overview There is an XSS vulnerability in tinymce before version 5.7.1. Impact A cross-site scripting XSS vulnerability was discovered in the URL sanitization logic of the core parser for form elements. The vulnerability allowed arbitrary JavaScript execution when inserting a specially crafted...

Regular Expression Denial of Service

Overview In ws before versions 5.2.3, 6.2.2 and 7.4.6 there is a ReDOS vulnerability. Impact A specially crafted value of the Sec-Websocket-Protocol header can be used to significantly slow down a ws server. Proof of concept js for const length of 1000, 2000, 4000, 8000, 16000, 32000 const value ...

Regular Expression Denial of Service

Overview The package browserslist from 4.0.0 and before 4.16.5 are vulnerable to Regular Expression Denial of Service ReDoS during parsing of queries. Recommendation Upgrade to version 4.16.5 or later References - CVE - GitHub Advisory...

Improper Verification of Cryptographic Signature

Overview The xmlhttprequest-ssl package before 1.6.1 for Node.js disables SSL certificate validation by default, because rejectUnauthorized when the property exists but is undefined is considered to be false within the https.request function of Node.js. In other words, no certificate is ever...

Memory Exposure

Overview This affects the package dns-packet before versions 1.3.2 and 5.2.2. It creates buffers with allocUnsafe and does not always fill them before forming network packets. This can expose internal application memory over unencrypted network when querying crafted invalid domain names...

Uncontrolled Resource Consumption

Overview This affects the package @firebase/util before 0.3.4. This vulnerability relates to the deepExtend function within the DeepCopy.ts file. Depending on if user input is provided, an attacker can overwrite and pollute the object prototype of a program. Recommendation Upgrade to version 0.3....

Cross-Site Scripting (XSS)

Overview docsify prior to 4.11.4 is susceptible to Cross-site Scripting XSS. Docsify.js uses fragment identifiers parameters after sign to load resources from server-side .md files. Due to lack of validation here, it is possible to provide external URLs after the // domain.com///attacker.com and...

Credential leak in react-native-fast-image

Overview This affects all versions before version 8.3.0 of package react-native-fast-image. When an image with source=uri: "...", headers: host: "somehost.com", authorization: "..." is loaded, all other subsequent images will use the same headers, this can lead to signing credentials or other...

Path traversal in rollup-plugin-serve

Overview Path traversal in rollup-plugin-serve before version 1.0.2. There is no path sanitization in readFile operation. Recommendation Upgrade to version 1.0.2 or later References - CVE - GitHub Advisory...

Injection and Command Injection in devcert

Overview A command injection vulnerability in the devcert module may lead to remote code execution when users of the module pass untrusted input to the certificateFor function. Recommendation Upgrade to version 1.1.2 or later References - CVE - GitHub Advisory...

Cross-site scripting in jspdf

Overview In jspdf before version 2.0.0 it is possible to inject JavaScript code via the html method. Recommendation Upgrade to version 2.0.0 or later References - CVE - GitHub Advisory...

cookie tossing attack

Overview Users that used fastify-csrf with the "double submit" mechanism using cookies with an application deployed across multiple subdomains, e.g. "heroku"-style platform as a service. Recommendation Upgrade to version 3.1.0 or later References - CVE - GitHub Advisory...

Regular Expression Denial of Service

Overview In websocket-extensions before version 0.1.4, there is a vulnerability which allows an attacker to exhaust the server's capacity to process incoming requests by sending a WebSocket handshake request containing a header of the following form: Sec-WebSocket-Extensions: a;...

Regular Expression Denial of Service (ReDoS)

Overview jspdf before version 2.3.1 has a regular expression denial-of-service via the addImage function. Recommendation Upgrade to version 2.3.1 or later References - CVE - GitHub Advisory...

Command Injection

Overview nodemailer before version 6.4.16 is vulnerable to command injection. Use of crafted recipient email addresses may result in arbitrary command flag injection in sendmail transport for sending mails. Recommendation Upgrade to version 6.4.16 or later References - CVE - GitHub Advisory...