Remote Memory Exposure

Overview Versions of mysql before 2.14.0 are vulnerable to remove memory exposure. Affected versions of mysql package allocate and send an uninitialized memory over the network when a number is provided as a password. Only mysql running on Node.js versions below 6.0.0 is affected due to a throw...

Cross-Site Scripting (XSS)

Overview Affected versions of jquery interpret text/javascript responses from cross-origin ajax requests, and automatically execute the contents in jQuery.globalEval, even when the ajax request doesn't contain the dataType option. Recommendation Update to version 3.0.0 or later. References - Issu...

Cross-Site Scripting

Overview Affected versions of jquery are vulnerable to cross-site scripting. This occurs because the main jquery function uses a regular expression to differentiate between HTML and selectors, but does not properly anchor the regular expression. The result is that jquery may interpret HTML as...

XSS in dialog closeText

Overview Affected versions of jquery-ui are vulnerable to a cross-site scripting vulnerability when arbitrary user input is supplied as the value of the closeText parameter in the dialog function. jQuery-UI is a library for manipulating UI elements via jQuery. Version 1.11.4 has a cross site...

Denial of Service

Overview Affected versions of jquery use a lowercasing logic on attribute names. When given a boolean attribute with a name that contains uppercase characters, jquery enters into an infinite recursion loop, exceeding the call stack limit, and resulting in a denial of service condition...

Machine-In-The-Middle

Overview Affected versions of airtable are vulnerable to Machine-In-The-Middle. The package has SSL certificate validation disabled by default unintentionally. This may allow attackers in a privileged network position to decrypt intercepted traffic. Recommendation Upgrade to version 0.7.2 or late...

Sandbox Breakout

Overview Affected versions of safe-eval are vulnerable to a sandbox escape. By accessing object constructors, un-sanitized user input can access the entire standard library and effectively break out of the sandbox. Proof of Concept: This code accesses the process object and calls .exit var safeEv...

Sandbox Bypass Leading to Arbitrary Code Execution

Overview Versions of constantinople prior to 3.1.1 are vulnerable to a sandbox bypass which can lead to arbitrary code execution. Recommendation Update to version 3.1.1 or later. References GitHub Advisory...

Downloads Resources over HTTP

Overview Affected versions of macaca-chromedriver insecurely download an executable over an unencrypted HTTP connection. In scenarios where an attacker has a privileged network position, it is possible to intercept the response and replace the executable with a malicious one, resulting in code...

Arbitrary File Creation/Overwrite via insufficient symlink protection due to directory cache poisoning using symbolic links

Overview Impact Arbitrary File Creation, Arbitrary File Overwrite, Arbitrary Code Execution node-tar aims to guarantee that any file whose location would be modified by a symbolic link is not extracted. This is, in part, achieved by ensuring that extracted directories are not symlinks...

Information Exposure on Case Insensitive File Systems

Overview Versions of serve before 7.0.0 are vulnerable to information exposure, bypassing the ignore security control, but only on case insensitive file systems. Recommendation Update to version 7.0.0 or later. References - HackerOne Report - GitHub Advisory...

Command Injection

Overview Versions of pdf-image before 2.0.0 are vulnerable to command injection. This vulnerability is exploitable if the attacker has control over the pdfFilePath variable passed into pdf-image. Recommendation Update to version 2.0.0 or later. References - HackerOne Report - GitHub Advisory...

Arbitrary File Write via Archive Extraction

Overview Versions of adm-zip before 0.4.9 are vulnerable to arbitrary file write when used to extract a specifically crafted archive that contains path traversal filenames ../../file.txt for example. Recommendation Update to version 0.4.9 or later. References - GitHub Pull Request - Zip Slip...

Cross-Site Scripting

Overview All versions of sexstatic are vulnerable to stored cross-site scripting xss. This is exploitable if an attacker can control a filename that is served by sexstatic. Recommendation As there is no fix is currently available for this vulnerability it is our recommendation to not install or...

Open Redirect

Overview Versions of url-parse before 1.4.3 returns the wrong hostname which could lead to Open Redirect, Server Side Request Forgery SSRF, or Bypass Authentication Protocol vulnerabilities. Recommendation Update to version 1.4.3 or later. References - HackerOne Report - GitHub Commit - GitHub...

Improper Authorization

Overview Versions of aedes before 0.35.1 does not respect its own authorization rules when a client sets a Last Will. Recommendation Update to version 0.35.1 or later. References - GitHub Issue 211 - GitHub Issue 212 - GitHub Advisory...

SQL Injection

Overview All versions of query-mysql are vulnerable to SQL injection due to lack of user input sanitization allows to run arbitrary SQL queries when fetching data from database. Recommendation No fix is currently available for this vulnerability. It is our recommendation to not install or use thi...

Arbitrary File Write via Archive Extraction

Overview Versions of unzipper before 0.8.13 are vulnerable to arbitrary file write when used to extract a specifically crafted archive that contains path traversal filenames ../../file.txt for example. Recommendation Update to version 0.3.18 or later. References - GitHub Pull Request - Zip Slip...

Cross-Site Scripting

Overview All versions of react-marked-markdown are vulnerable to cross-site scripting XSS via href attributes. This is exploitable if user is provided to react-marked-markdown Proof of concept: import React from 'react' import ReactDOM from 'react-dom' import MarkdownPreview from...

Out-of-bounds Read

Overview Versions of base64-url before 2.0.0 are vulnerable to out-of-bounds read as it allocates uninitialized Buffers when number is passed in input. Recommendation Update to version 2.0.0 or later. References - HackerOne Report - GitHub Advisory...

Command Injection

Overview Versions of command-exists before 1.2.4 are vulnerable to command injection. This is exploitable if user input is provided to this module. Recommendation Update to version 1.2.4 or later. References - HackerOne Report -...

Path Traversal

Overview All versions of localhost-now are vulnerable to path traversal. This vulnerability is a bypass to the path traversal fix introduced in version 1.0.2 Proof of concept: $ curl -v --path-as-is "http://IP:5432/..././..././..././..././..././..././..././..././..././..././etc/passwd"...

Command Injection

Overview All versions of buttle are vulnerable to command injection. Remote command execution is possible when buttle is run with the --php-bin flag. Recommendation No fix is currently available for this vulnerability. It is our recommendation to not install or use this module at this time...

Path Traversal

Overview Versions of html-pages before 2.1.0 are vulnerable to path traversal. Recommendation Update to version 2.1.0 or later. References - HackerOne Report - GitHub Advisory...

Command Injection

Overview All versions of fs-path are vulnerable to command injection is unsanitized user input is passed in. Recommendation No fix is currently available for this vulnerability. It is our recommendation to not install or use this module until a fix is available. References - HackerOne Report -...

Path Traversal

Overview Versions of angular-http-server before 1.4.4 are vulnerable to path traversal. Recommendation Update to version 1.4.4 or later. References - HackerOne Reporthttps://hackerone.com/reports/330349 - Commit 8bafc95 - GitHub Advisory...

Malicious Package

Overview Version 2.0.0 of eslint-config-airbnb-standard was published with a bundled version of eslint-scope that was found to contain malicious code. This code would read the users .npmrc file and send it's contents to a remote server. Recommendation The best course of action if you found this...

Command Injection

Overview Versions of open before 6.0.0 are vulnerable to command injection when unsanitized user input is passed in. The package does come with the following warning in the readme: The same care should be taken when calling open as if you were calling childprocess.exec directly. If it is an...

Command Injection

Overview All versions of macaddress are vulnerable to command injection. For this vulnerability to be exploited an attacker needs to control the iface argument to the one method. Recommendation Update to version 0.2.9 or later. References - HackerOne Report - Github PR 20 - GitHub Advisory...

Out-of-bounds Read

Overview Versions of njwt prior to 1.0.0 are vulnerable to out-of-bounds reads when a number is passed into the base64urlEncode function. On Node.js 6.x or lower this can expose sensitive information and on any other version of Node.js this creates a Denial of Service vulnerability. Recommendatio...

SQL Injection

Overview All versions of sql are vulnerable to sql injection as it does not properly escape parameters when building SQL queries. Recommendation No fix is currently available for this vulnerability. It is our recommendation to not install or use this module until a fix is available. References -...

Out-of-bounds Read

Overview Versions of stringstream before 0.0.6 are vulnerable to out-of-bounds read as it allocates uninitialized Buffers when number is passed in input stream on Node.js 4.x and below. Recommendation Upgrade to version 0.0.6 or later. References - HackerOne Report -...

Open Redirect

Overview Versions of hekto before 0.2.4 are vulnerable to open redirect when a domain name is used as part of the .html filename. Recommendation Update to version 0.2.4 or later. References - HackerOne Report - PR 3 - GitHub Advisory...

Out-of-bounds Read

Overview Versions of base64url before 3.0.0 are vulnerable to to out-of-bounds reads as it allocates uninitialized Buffers when number is passed in input on Node.js 4.x and below. Recommendation Update to version 3.0.0 or later. References - HackerOne Report - PR 25 - GitHub Advisory...

Malicious Package

Overview Version 5.0.2 of eslint-config-eslint was published without authorization and was found to contain malicious code. This code would read the users .npmrc file and send any found authentication tokens to a remote server. Recommendation The best course of action if you found this package...

Out-of-bounds Read

Overview Versions of npmconf before 2.1.3 allocate and write to disk uninitialized memory contents when a typed number is passed as input on Node.js 4.x. Recommendation Update to version 2.1.3 or later. Consider switching to another config storage mechanism, as npmconf is deprecated and should no...

Malicious Package

Overview Version 3.7.2 of eslint-scope was published without authorization and was found to contain malicious code. This code would read the users .npmrc file and send any found authentication tokens to 2 remote servers. Recommendation The best course of action if you found this package installed...

Prototype Pollution

Overview Versions of deep-extend before 0.5.1 are vulnerable to prototype pollution. Recommendation Update to version 0.5.1 or later. References - HackerOne Report - GitHub Advisory...

Out-of-bounds Read

Overview Versions of atob before 2.1.0 uninitialized Buffers when number is passed in input on Node.js 4.x and below. Recommendation Update to version 2.1.0 or later. References - HackerOne Report - GitHub Advisory...

Command Injection

Overview Versions of pdfinfojs before 0.4.1 are vulnerable to command injection. This is exploitable if an attacker can control the filename parameter that is passed into the pdfinfojs constructor. Recommendation Update to version 0.4.1 or later. References - HackerOne Report - Commit 5cc59cd -...

Path Traversal

Overview All versions of superstatic are vulnerable to path traversal when used on Windows. Additionally, it is vulnerable to path traversal on other platforms combined with certain Node.js versions which erroneously normalize \ to / in paths on all platforms a known example being Node.js v9.9.0...

Malicious Package

Overview The getcookies module contained a backdoor that would allow for a remote attacker to execute arbitrary commands on the system running the malicious module. Recommendation This module should be uninstalled if found used within an application. In addition to removing the installed module,...

Denial of Service

Overview All versions of rgb2hex are vulnerable to Regular Expression Denial of Service ReDoS when an attacker can pass in a specially crafted invalid color value. Recommendation Update to version 0.1.6 or later. References - HackerOne Report -...

Out-of-bounds Read

Overview Versions of byte before 1.4.1 allocate uninitialized buffers and read data from them past the initialized length Recommendation Update to version 1.4.1 or later. References - HackerOne Report - PR 3 - GitHub Advisory...

Denial of Service

Overview All versions of foreman are vulnerable to Regular Expression Denial of Service when requests to it are made with a specially crafted path. Recommendation Upgrade to version 3.0.1. References - HackerOne Report - https://github.com/strongloop/node-foreman/blob/v2.0.0/forward.jsL30 - GitHu...

Path Traversal

Overview All versions of mcstatic are vulnerable to path traversal. Recommendation No fix is currently available for this vulnerability. It is our recommendation to not install or use this module at this time. References - HackerOne Report - GitHub Advisory...

Cross-Site Scripting

Overview Versions of react-svg before 2.2.18 are vulnerable to cross-site scripting xss. This is due to the fact that scripts found in SVG files are run by default. Recommendation Update to version 2.2.18 or later. References - GitHub PR 57 - GitHub Advisory...

Malicious Package

Overview ladder-text-js contained a malicious script that attempted to delete all files when npm test was run. Recommendation This module has been unpublished from the npm Registry. If you find this module in your environment remove it. References GitHub Advisory...

Cross-Site Scripting

Overview All versions of public are vulnerable to stored cross-site scripting XSS. Recommendation No fix is currently available for this vulnerability. It is our recommendation to not install or use this module at this time. References - HackerOne Report - GitHub Advisory...

Malicious Package

Overview nothing-js contained a malicious script that attempted to delete all files when npm test was run. Recommendation This module has been unpublished from the npm Registry. If you find this module in your environment remove it. References GitHub Advisory...