Directory Traversal

Overview Versions 13.0.8 and earlier of geddy are vulnerable to a directory traversal attack via URI encoded attack vectors. Proof of Concept http://localhost:4000/..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2fetc/passwd Recommendation Update geddy to version =...

File Descriptor Leak Can Cause DoS Vulnerability

Overview Versions 2.0.x and 2.1.x of hapi are vulnerable to a denial of service attack via a file descriptor leak. When triggered repeatedly, this leak will cause the server to run out of file descriptors and the node process to die. The effort required to take down a server depends on the proces...

Regular Expression Denial of Service

Overview Affected versions of diff are vulnerable to Regular Expression Denial of Service ReDoS. This can cause an impact of about 10 seconds matching time for data 48K characters long. Recommendation Upgrade to 3.5.0 or later. References - WhiteSource Advisory - Snyk Advisory - GitHub Advisory...

Prototype Pollution

Overview All versions of utils-extend are vulnerable to prototype pollution. The extend function does not restrict the modification of an Object's prototype, which may allow an attacker to add or modify an existing property that will exist on all objects. Recommendation No fix is currently...

Cross-Site Scripting

Overview Versions of serialize-javascript prior to 2.1.1 are vulnerable to Cross-Site Scripting XSS. The package fails to sanitize serialized regular expressions. This vulnerability does not affect Node.js applications. Recommendation Upgrade to version 2.1.1 or later. References - GitHub advisor...

Prototype Pollution

Overview Versions of mixin-deep prior to 2.0.1 or 1.3.2 are vulnerable to Prototype Pollution. The mixinDeep function fails to validate which Object properties it updates. This allows attackers to modify the prototype of Object, causing the addition or modification of an existing property on all...

Path Traversal

Overview Versions of serve prior to 7.0.1 are vulnerable to Path Traversal. Explicitly ignored folders can be accessed through if the path contains a /./, which allows attackers to access hidden folders and files. Recommendation Upgrade to version 7.0.1 or later. References - HackerOne Report -...

Path Traversal

Overview All versions of static-resource-server are vulnerable to Path Traversal. Due to insufficient input sanitization, attackers can access server files by using relative paths. Recommendation No fix is currently available. Consider using an alternative module until a fix is made available...

Cross-Site Scripting

Overview Versions of metascraper prior to 5.3.0 are vulnerable to stored cross-site scripting XSS. Recommendation Upgrade to version 5.3.0 or later. References - HackerOne Report - GitHub Advisory...

Cross-site Scripting (XSS) - Stored

Overview Versions of crud-file-server before 0.8.0 are vulnerable to stored cross-site scripting XSS. This is due to insufficient santiziation of filenames when directory index is served by crud-file-server. Recommendation Update to version 0.8.0 or later. References - GitHub Commit 4155bfe -...

Regular Expression Denial of Service

Overview Affected versions of charset are susceptible to a regular expression denial of service. The amplification on this vulnerability is relatively low - it takes around 2 seconds for the engine to execute on a malicious input which is 50,000 characters in length. If node was compiled using th...

Directory Traversal

Overview Affected versions of lab6.brit95 resolve relative file paths, resulting in a directory traversal vulnerability. A malicious actor can use this vulnerability to access files outside of the intended directory root, which may result in the disclosure of private files on the vulnerable syste...

Directory Traversal

Overview Affected versions of sspa resolve relative file paths, resulting in a directory traversal vulnerability. A malicious actor can use this vulnerability to access files outside of the intended directory root, which may result in the disclosure of private files on the vulnerable system...

Directory Traversal

Overview Affected versions of yjmyjmyjm resolve relative file paths, resulting in a directory traversal vulnerability. A malicious actor can use this vulnerability to access files outside of the intended directory root, which may result in the disclosure of private files on the vulnerable system...

Directory Traversal

Overview Affected versions of shenliru resolve relative file paths, resulting in a directory traversal vulnerability. A malicious actor can use this vulnerability to access files outside of the intended directory root, which may result in the disclosure of private files on the vulnerable system...

Downloads Resources over HTTP

Overview Affected versions of cloudpub-redis insecurely download an executable over an unencrypted HTTP connection. In scenarios where an attacker has a privileged network position, it is possible to intercept the response and replace the executable with a malicious one, resulting in code executi...

Downloads Resources over HTTP

Overview Affected versions of macaca-chromedriver-zxa insecurely download an executable over an unencrypted HTTP connection. In scenarios where an attacker has a privileged network position, it is possible to intercept the response and replace the executable with a malicious one, resulting in cod...

Downloads Resources over HTTP

Overview Affected versions of selenium-binaries insecurely download an executable over an unencrypted HTTP connection. In scenarios where an attacker has a privileged network position, it is possible to intercept the response and replace the executable with a malicious one, resulting in code...

Cross-Site Scripting

Overview Affected versions of c3 are vulnerable to cross-site scripting via improper sanitization of HTML in rendered tooltips. Recommendation Update to 0.4.11 or later. References - Issue 1536 - GitHub Advisory...

Template Injection

Overview Affected versions of jsrender are susceptible to a remote code execution vulnerability when used with server delivered client-side tempates which dynamically embed user input. Proof of Concept for x!=1?constructor.constructor"return arguments.callee.caller":y10 :data /for function...

Private Data Disclosure

Overview Affected versions of express-restify-mongoose are susceptible to an information leakage vulnerability which may allow an attacker to access fields on a model even if those fields are marked as private. Proof of Concept If you have a user model that you want to protect, such as the...

Denial of Service

Overview Versions of ecstatic prior to 1.4.0 are affected by a denial of service vulnerability when certain input strings are sent via the Last-Modified or If-Modified-Since headers. Parsing certain inputs with new Date or Date.parse cases v8 to crash. As ecstatic passes the value of the affected...

Potential Command Injection

Overview When the ffprobe functionality is enabled on the server, HTTP POST requests can be made to /probe. These requests are passed to the ffprobe binary on the server. Through this HTTP endpoint it is possible to send a malformed source file name to ffprobe that results in arbitrary command...

Directory Traversal

Overview Versions 0.8.3 and earlier of send are affected by a directory traversal vulnerability. When relying on the root option to restrict file access it may be possible for an application consumer to escape out of the restricted directory and access files in a similarly named directory. For...

Multiple Content Injection Vulnerabilities

Overview Versions 0.3.0 and earlier of marked are affected by two cross-site scripting vulnerabilities, even when sanitize: true is set. The attack vectors for this vulnerability are GFM Codeblocks and JavaScript URLs. Recommendation Upgrade to version 0.3.1 or later. References GitHub Advisory...

Malicious Package

Overview The package jdb.js contained malicious code. The package ran a postinstall script and contained a dropper for the njRAT/Bladabindi Remote Access Trojan. Recommendation Any computer that has this package installed or running should be considered fully compromised. All secrets and keys...

Regular Expression Denial of Service

Overview npm-user-validate before version 1.0.1 is vulnerable to a Regular Expression Denial of Service REDos. The regex that validates user emails took exponentially longer to process long input strings beginning with @ characters. Impact The issue affects the email function. If you use this...

Server-Side Request Forgery

Overview Versions of @uppy/companion prior to 1.9.3 are vulnerable to Server-Side Request Forgery SSRF. The get route passes the user-controlled variable req.body.url to a GET request without sanitizing the value. This allows attackers to inject arbitrary URLs and make GET requests on behalf of t...

Arbitrary File Write

Overview Versions of adm-zip before 0.4.9 are vulnerable to arbitrary file write when used to extract a specifically crafted archive that contains path traversal filenames ../../file.txt for example. Recommendation Update to version 0.4.9 or later. References - GitHub Pull Request - Zip Slip...

Prototype Pollution

Overview Versions of node.extend before 1.1.7 or 2.0.1 are vulnerable to prototype pollution. Recommendation Update to version 1.1.7, 2.0.1 or later. References - HackerOne Report - GitHub Advisory...

Identity Spoofing

Overview Affected versions of libp2p-secio does not correctly verify that the PeerId of DstPeer matches the PeerId discovered in the crypto handshake, resulting in a high severity identity spoofing vulnerability. Recommendation Update to version 0.9.0 or later. References - PR 95 - GitHub Advisor...

Hijacked Environment Variables

Overview The crossenv package is a piece of malware that steals environment variables and sends them to attacker controlled locations. All versions have been unpublished from the npm registry. Recommendation As this package is malware, if you find it installed in your environment, the real securi...

Directory Traversal

Overview Affected versions of lab6drewfusbyu resolve relative file paths, resulting in a directory traversal vulnerability. A malicious actor can use this vulnerability to access files outside of the intended directory root, which may result in the disclosure of private files on the vulnerable...

Directory Traversal

Overview Affected versions of httpstaticsimple resolve relative file paths, resulting in a directory traversal vulnerability. A malicious actor can use this vulnerability to access files outside of the intended directory root, which may result in the disclosure of private files on the vulnerable...

Directory Traversal

Overview Affected versions of ltt.js resolve relative file paths, resulting in a directory traversal vulnerability. A malicious actor can use this vulnerability to access files outside of the intended directory root, which may result in the disclosure of private files on the vulnerable system...

Downloads Resources over HTTP

Overview Affected versions of windows-seleniumjar-mirror insecurely download an executable over an unencrypted HTTP connection. In scenarios where an attacker has a privileged network position, it is possible to intercept the response and replace the executable with a malicious one, resulting in...

Downloads Resources over HTTP

Overview Affected versions of native-opencv insecurely download an executable over an unencrypted HTTP connection. In scenarios where an attacker has a privileged network position, it is possible to intercept the response and replace the executable with a malicious one, resulting in code executio...

Downloads Resources over HTTP

Overview Affected versions of phantomjs-cheniu insecurely download an executable over an unencrypted HTTP connection. In scenarios where an attacker has a privileged network position, it is possible to intercept the response and replace the executable with a malicious one, resulting in code...

Downloads Resources over HTTP

Overview Affected versions of frames-compiler insecurely download an executable over an unencrypted HTTP connection. In scenarios where an attacker has a privileged network position, it is possible to intercept the response and replace the executable with a malicious one, resulting in code...

Timing Attack

Overview Affected versions of cookie-signature are vulnerable to timing attacks as a result of using a fail-early comparison instead of a constant-time comparison. Timing attacks remove the exponential increase in entropy gained from increased secret length, by providing per-character feedback on...

Denial of Service

Overview Versions of mqtt-packet prior to 3.4.6, or 4.x prior to 4.0.5 are affected by a denial of service vulnerability wherein specific sequences of MQTT packets can crash the application. Recommendation Version 3.x: Update to version 3.4.6 or later. Version 4.x: Update to version 4.0.5 or late...

Regular Expression Denial of Service

Overview Versions of uglify-js prior to 2.6.0 are affected by a regular expression denial of service vulnerability when malicious inputs are passed into the parse method. Proof of Concept var u = require'uglify-js'; var genstr = function len, chr var result = ""; for i=0; i=len; i++ result = resu...

Validation Bypass

Overview Versions 2.x.x and earlier of paypal-ipn are affected by a validation bypass vulnerability. paypal-ipn uses the testipn parameter which is set by the PayPal IPN simulator to determine if it should use the production PayPal site or the sandbox. A motivated attacker could craft a request...

Open Redirect

Overview Versions of serve-static prior to 1.6.5 or 1.7.x prior to 1.7.2 are affected by an open redirect vulnerability on some browsers when configured to mount at the root directory. Proof of Concept A link to http://example.com//www.google.com/%2e%2e will redirect to //www.google.com/%2e%2e So...

CORS Token Disclosure

Overview When CORS is enabled on a hapi route handler, it is possible to set a crumb token for a different domain. An attacker would need to have an application consumer visit a site they control, request a route supporting CORS, and then retrieve the token. With this token, they could possibly...

Prototype Pollution

Overview simpl-schema before 1.10.2 is vulnerable to prototype pollution. Attacker controlled input into a schema could result in remote code execution within the scope of the surrounding application. Recommendation Upgrade to version 1.10.2 or later References - CVE - GitHub Advisory...

Prototype Pollution

Overview Impact In affected versions of mixme an attacker can add or alter properties of an object via 'proto' through the mutate and merge functions. The polluted attribute will be directly assigned to every object in the program. This will put the availability of the program at risk causing a...

Privilege Escalation

Overview Versions of cordova-plugin-inappbrowser prior to 3.1.0 are vulnerable to Privilege Escalation. A website running in the InAppBrowser webview on Android could execute arbitrary JavaScript in the main application's webview using a specially crafted gap-iab: URI. This affects Cordova Androi...

Cross-Site Scripting

Overview Versions of dompurify prior to 2.0.7 are vulnerable to Cross-Site Scripting XSS. It is possible to bypass the package sanitization through Mutation XSS, which may allow an attacker to execute arbitrary JavaScript in a victim's browser. Recommendation Upgrade to version 2.0.7 or later...

Prototype Pollution

Overview Versions of deeply prior to 1.0.1 are vulnerable to Prototype Pollution. The package fails to validate which Object properties it updates. This allows attackers to modify the prototype of Object, causing the addition or modification of an existing property on all objects. Recommendation...