Prototype Pollution

Overview Versions of deeply prior to 1.0.1 are vulnerable to Prototype Pollution. The package fails to validate which Object properties it updates. This allows attackers to modify the prototype of Object, causing the addition or modification of an existing property on all objects. Recommendation...

Prototype Pollution

Overview Versions of just-extend before 4.0.0 are vulnerable to prototype pollution. Provided certain input just-extend can add or modify properties of the Object prototype. These properties will be present on all objects. Recommendation Update to version 4.0.0 or later. References - HackerOne...

Regular Expression Denial of Service

Overview Version of is-my-json-valid before 1.4.1 or 2.17.2 are vulnerable to regular expression denial of service ReDoS via the email validation function. Recommendation Update to version 1.4.1, 2.17.2 or later. References - GitHub PR 159 - GitHub Commit b3051b2 - HackerOne Report - GitHub Advis...

Hijacked Environment Variables

Overview The nodefabric package is a piece of malware that steals environment variables and sends them to attacker controlled locations. All versions have been unpublished from the npm registry. Recommendation As this package is malware, if you find it installed in your environment, the real...

Hijacked Environment Variables

Overview The nodemssql package is a piece of malware that steals environment variables and sends them to attacker controlled locations. All versions have been unpublished from the npm registry. Recommendation As this package is malware, if you find it installed in your environment, the real...

Directory Traversal

Overview Affected versions of static-html-server resolve relative file paths, resulting in a directory traversal vulnerability. A malicious actor can use this vulnerability to access files outside of the intended directory root, which may result in the disclosure of private files on the vulnerabl...

Downloads Resources over HTTP

Overview Affected versions of sfml insecurely download resources over HTTP. In scenarios where an attacker has a privileged network position, they can modify or read such resources at will. While the exact severity of impact for a vulnerability like this is highly variable and depends on the...

Downloads Resources over HTTP

Overview Affected versions of node-air-sdk insecurely download an executable over an unencrypted HTTP connection. In scenarios where an attacker has a privileged network position, it is possible to intercept the response and replace the executable with a malicious one, resulting in code execution...

Downloads Resources over HTTP

Overview Affected versions of nw-with-arm insecurely download an executable over an unencrypted HTTP connection. In scenarios where an attacker has a privileged network position, it is possible to intercept the response and replace the executable with a malicious one, resulting in code execution ...

Downloads Resources over HTTP

Overview Affected versions of jvminstall insecurely download an executable over an unencrypted HTTP connection. In scenarios where an attacker has a privileged network position, it is possible to intercept the response and replace the executable with a malicious one, resulting in code execution o...

Downloads Resources over HTTP

Overview Affected versions of openframe-image insecurely downloads resources over HTTP. In scenarios where an attacker has a privileged network position, they can modify or read such resources at will. While the exact severity of impact for a vulnerability like this is highly variable and depends...

Downloads Resources over HTTP

Overview Affected versions of fibjs insecurely download an executable over an unencrypted HTTP connection. In scenarios where an attacker has a privileged network position, it is possible to intercept the response and replace the executable with a malicious one, resulting in code execution on the...

Arbitrary Code Injection

Overview Affected versions of pouchdb do not properly sandbox the code execution engine which executes the map/reduce functions for temporary views and design documents. Under certain circumstances, an attacker could uses this to run arbitrary code on the server. Recommendation Update to version...

Cross-Site Scripting

Overview Affected versions of jqtree are vulnerable to cross-site scripting in the drag and drop functionality for modifying tree data. When a user attempts to drag a node to a different position in the hierarchy, script content existing within the node will be executed. Recommendation Update to...

Potential SQL Injection

Overview Affected versions of sequelize are vulnerable to SQL Injection when user input is passed into findOne or into a statement such as where: "user input". Recommendation Update to version 3.0.0 or later. Version 3.0.0 will introduce a number of breaking changes. Thankfully, the project autho...

Remote Code Execution

Overview serialize-javascript prior to 3.1.0 allows remote attackers to inject arbitrary code via the function "deleteFunctions" within "index.js". An object such as "foo": /1"/, "bar": "a"@R--0@" was serialized as "foo": /1"/, "bar": "a/1"/, which allows an attacker to escape the bar key. This...

Cryptographically Weak PRNG

Overview All versions of generator-jhipster-kotlin use a Cryptographically Weak PRNG that may lead to account takeover. The package uses a cryptographically insecure method to generate password reset links, which allows an attacker to guess password reset links and takeover accounts. Recommendati...

Remote Code Execution

Overview Versions of markdown-pdf prior to 9.0.0 are vulnerable to Remote Code Execution. The package fails to sanitize HTML code in markdown files. If markdown files with malicious HTML are converted to PDF, the resulting PDF file will execute any JavaScript code in the original markdown file...

Path Traversal

Overview Versions of http-live-simulator prior to 1.0.7 are vulnerable to Path Traversal. Due to insufficient input sanitization, attackers can access server files by using relative paths. For example: curl --path-as-is http://localhost:8080//../../../../etc/passwd. Recommendation Upgrade to...

Path Traversal

Overview Versions of localhost-now before 1.0.2 are vulnerable to path traversal. This allows a remote attacker to read the content of an arbitrary file. Recommendation Update to version 1.0.2 or later. References - GitHub Commit 30b004c - HackerOne Report - GitHub Advisory...

Denial of Service

Overview Affected versions of ws can crash when a specially crafted Sec-WebSocket-Extensions header containing Object.prototype property names as extension or parameter names is sent. Proof of concept const WebSocket = require'ws'; const net = require'net'; const wss = new WebSocket.Server port:...

Hijacked Environment Variables

Overview The tkinter package is a piece of malware that steals environment variables and sends them to attacker controlled locations. All versions have been unpublished from the npm registry. Recommendation As this package is malware, if you find it installed in your environment, the real securit...

Hijacked Environment Variables

Overview The mariadb package is a piece of malware that steals environment variables and sends them to attacker controlled locations. All versions have been unpublished from the npm registry. Recommendation As this package is malware, if you find it installed in your environment, the real securit...

Tracking Module

Overview The module botbait is a tool to be used to track bot and automated tools usage with-in the npm ecosystem. botbait is known to record and track user information. The module tracks the following information. - Source IP - process.versions - process.platform - How the module was invoked tes...

Directory Traversal

Overview Affected versions of node-server-forfront resolve relative file paths, resulting in a directory traversal vulnerability. A malicious actor can use this vulnerability to access files outside of the intended directory root, which may result in the disclosure of private files on the...

Downloads Resources over HTTP

Overview Affected versions of grunt-images insecurely download an executable over an unencrypted HTTP connection. In scenarios where an attacker has a privileged network position, it is possible to intercept the response and replace the executable with a malicious one, resulting in code execution...

Downloads Resources over HTTP

Overview Affected versions of scala-bin insecurely download an executable over an unencrypted HTTP connection. In scenarios where an attacker has a privileged network position, it is possible to intercept the response and replace the executable with a malicious one, resulting in code execution on...

Downloads Resources over HTTP

Overview Affected versions of apk-parser2 insecurely download an executable over an unencrypted HTTP connection. In scenarios where an attacker has a privileged network position, it is possible to intercept the response and replace the executable with a malicious one, resulting in code execution ...

Downloads Resources over HTTP

Overview Affected versions of dalek-browser-ie insecurely download an executable over an unencrypted HTTP connection. In scenarios where an attacker has a privileged network position, it is possible to intercept the response and replace the executable with a malicious one, resulting in code...

Downloads Resources over HTTP

Overview Affected versions of unicode-json insecurely downloads resources over HTTP. In scenarios where an attacker has a privileged network position, they can modify or read such resources at will. While the exact severity of impact for a vulnerability like this is highly variable and depends on...

Downloads Resources over HTTP

Overview Affected versions of robot-js insecurely download an executable over an unencrypted HTTP connection. In scenarios where an attacker has a privileged network position, it is possible to intercept the response and replace the executable with a malicious one, resulting in code execution on...

Downloads Resources over HTTP

Overview Affected versions of libxl insecurely download an executable over an unencrypted HTTP connection. In scenarios where an attacker has a privileged network position, it is possible to intercept the response and replace the executable with a malicious one, resulting in code execution on the...

SQL Injection via GeoJSON

Overview Affected versions of sequelize are vulnerable to SQL Injection in Models that have fields with the GEOMETRY DataType. This vulnerability occurs because single quotes in document values are not escaped for GeoJSON documents using STGeomFromGeoJSON, and MySQL GeoJSON documents using...

Authentication Bypass

Overview Versions of hapi-auth-jwt2 prior to version 5.1.2 are affected by a complete authentication bypass vulnerability when in the try authentication mode. Recommendation Update to version 5.1.2 or later. References - Issue 111 - PR 112 - GitHub Advisory...

Content Injection via TileJSON Name

Overview Versions 1.x prior to 1.6.6 and 2.x prior to 2.2.4 of mapbox.js are vulnerable to a cross-site-scripting attack in certain uncommon usage scenarios. If L.mapbox.map or L.mapbox.shareControl are used in a manner that gives users control of the TileJSON content, it is possible to inject...

Incorrect handling of CORS preflight request headers

Overview Versions of hapi prior to 11.0.0 implement CORS incorrectly, allowing for configurations that at best return inconsistent headers, and at worst allow cross-origin activities that are expected to be forbidden. If the connection has CORS enabled but one route has it off, and the route is n...

Directory Traversal

Overview Versions of st prior to 0.2.5 are affected by a directory traversal vulnerability. Vulnerable versions fail to properly handle URL encoded dots, which caused %2e to be interpreted as . by the filesystem, resulting the potential for an attacker to read sensitive files on the server...

Potential Command Injection

Overview Versions 2.4.3 and earlier of hubot-scripts are vulnerable to a command injection vulnerablity in the hubot-scripts/package/src/scripts/email.coffee module. Mitigating Factors The email script is not enabled by default, it has to be manually added to hubot's list of loaded scripts...

Uncontrolled Resource Consumption

Overview This affects the package @firebase/util before 0.3.4. This vulnerability relates to the deepExtend function within the DeepCopy.ts file. Depending on if user input is provided, an attacker can overwrite and pollute the object prototype of a program. Recommendation Upgrade to version 0.3....

Path Traversal

Overview Versions of crud-file-server prior to 0.9.0 are vulnerable to Path Traversal. The package fails to sanitize URLs, allowing attackers to access server files outside of the served folder using relative paths. Recommendation Upgrade to version 0.9.0 or later. References - HackerOne Report -...

Path Traversal

Overview Versions of simplehttpserver prior to 0.2.1 are vulnerable to Path Traversal. Due to insufficient input sanitization, attackers can access server files by using relative paths. Recommendation Upgrade to version 0.2.1 or later. References - HackerOne Report...

Prototype Pollution

Overview Version of cached-path-relative before 1.0.2 are vulnerable to prototype pollution. Recommendation Update to version 1.0.2 or later. References - HackerOne Report - GitHub Issue - Node.js Security-wg - GitHub Advisory...

Prototype Pollution

Overview Versions of merge before 1.2.1 are vulnerable to prototype pollution. The merge.recursive function can be tricked into adding or modifying properties of the Object prototype. Recommendation Update to version 1.2.1 or later. References - HackerOne Report - GitHub Advisory...

Hijacked Environment Variables

Overview The shadowsock package is a piece of malware that steals environment variables and sends them to attacker controlled locations. All versions have been unpublished from the npm registry. Recommendation As this package is malware, if you find it installed in your environment, the real...

Hijacked Environment Variables

Overview The mssql-node package is a piece of malware that steals environment variables and sends them to attacker controlled locations. All versions have been unpublished from the npm registry. Recommendation As this module is malware, if you find it installed in your environment, the real...

Directory Traversal

Overview Affected versions of infraserver resolve relative file paths, resulting in a directory traversal vulnerability. A malicious actor can use this vulnerability to access files outside of the intended directory root, which may result in the disclosure of private files on the vulnerable syste...

Directory Traversal

Overview Affected versions of serverzyy resolve relative file paths, resulting in a directory traversal vulnerability. A malicious actor can use this vulnerability to access files outside of the intended directory root, which may result in the disclosure of private files on the vulnerable system...

Downloads Resources over HTTP

Overview Affected versions of grunt-ccompiler insecurely download an executable over an unencrypted HTTP connection. In scenarios where an attacker has a privileged network position, it is possible to intercept the response and replace the executable with a malicious one, resulting in code...

Downloads Resources over HTTP

Overview Affected versions of cmake insecurely download an executable over an unencrypted HTTP connection. In scenarios where an attacker has a privileged network position, it is possible to intercept the response and replace the executable with a malicious one, resulting in code execution on the...

Downloads Resources over HTTP

Overview Affected versions of pennyworth insecurely downloads resources over HTTP. In scenarios where an attacker has a privileged network position, they can modify or read such resources at will. While the exact severity of impact for a vulnerability like this is highly variable and depends on t...