Directory Traversal

Overview fast-http-cli is the command line interface for fast-http, a simple web server. fast-http-cli is vulnerable to a directory traversal issue, giving an attacker access to the filesystem by placing "../" in the url. Example Request: GET /../../../../../../../../../../etc/passwd HTTP/1.1 hos...

Downloads Resources over HTTP

Overview Affected versions of openframe-glslviewer insecurely download an executable over an unencrypted HTTP connection. In scenarios where an attacker has a privileged network position, it is possible to intercept the response and replace the executable with a malicious one, resulting in code...

Downloads Resources over HTTP

Overview Affected versions of strider-sauce insecurely download an executable over an unencrypted HTTP connection. In scenarios where an attacker has a privileged network position, it is possible to intercept the response and replace the executable with a malicious one, resulting in code executio...

Denial of Service

Overview Affected versions of uws do not properly handle large websocket messages when permessage-deflate is enabled, which may result in a denial of service condition. If uws recieves a 256Mb websocket message when permessage-deflate is enabled, the server will compress the message prior to...

Insecure Default Configuration

Overview Affected versions of airbrake default to sending environment variables over an unencrypted HTTP connection. In scenarios where an attacker has a privileged network position, it is possible for them to capture and read these environment variables, which may result in leaking sensitive...

Regular Expression Denial of Service

Overview The ansi2html package is affected by a regular expression denial of service vulnerability when certain types of user input is passed in. Proof of concept var ansi2html = require'ansi2html' var start = process.hrtime; ansi2html"1111111111111111111111;0000000000000000000000";...

Insecure Comparison

Overview Versions of secure-compare prior to 3.0.1 are affected by a vulnerability that results in the package always returning true when comparing two strings of the same length, despite differences in the contents of those strings. Recommendation Upgrade to version 3.0.1 or later. References - ...

Directory Traversal

Overview All versions of the static file server module nhouston are vulnerable to directory traversal. An attacker can provide input such as ../ to read files outside of the served directory. Recommendation It is recommended that a different module be used, as we have been unable to reacher the...

Prototype Pollution

Overview ini before version 1.3.6 has a Prototype Pollution vulnerability. Impact If an attacker submits a malicious INI file to an application that parses it with ini.parse, they will pollute the prototype on the application. This can be exploited further depending on the context. Patches This h...

Arbitrary File Write

Overview Versions of decompress prior to 4.2.1 are vulnerable to Arbitrary File Write. The package fails to prevent extraction of files with relative paths, allowing attackers to write to any folder in the system by including filenames containing../. Recommendation Upgrade to version 4.2.1 or...

Prototype Pollution

Overview Affected versions of minimist are vulnerable to prototype pollution. Arguments are not properly sanitized, allowing an attacker to modify the prototype of Object, causing the addition or modification of an existing property that will exist on all objects. Parsing the argument...

Command Injection

Overview All versions of gitlabhook are vulnerable to Command Injection. The package does not validate input the body of POST request and concatenates it to an exec call, allowing attackers to run arbitrary commands in the system. Recommendation No fix is currently available. Consider using an...

Message Signature Bypass

Overview Versions of openpgp prior to 4.2.0 are vulnerable to Message Signature Bypass. The package fails to verify that a message signature is of type text. This allows an attacker to to construct a message with a signature type that only verifies subpackets without additional input such as...

Prototype Pollution

Overview Versions of lodash.merge before 4.6.2 are vulnerable to prototype pollution. The function merge may allow a malicious user to modify the prototype of Object via constructor: prototype: ... causing the addition or modification of an existing property that will exist on all objects...

SQL Injection

Overview Affected versions of sequelize are vulnerable to SQL Injection. The package fails to sanitize JSON path keys in the MariaDB and MySQL dialects, which may allow attackers to inject SQL statements and execute arbitrary SQL queries. Recommendation If you are using sequelize 5.x, upgrade to...

User Impersonation

Overview Versions of converse.js prior to 1.0.7 for 1.x or 2.0.5 for 2.x are vulnerable to User Impersonation. The package provides an incorrect implementation of XEP-0280: Message Carbons that allows a remote attacker to impersonate any user, including contacts, in the vulnerable application's...

Unauthorized File Access

Overview Affected versions of harp are vulnerable to Unauthorized File Access. If a symlink in the project's base directory points to a file outside of the directory, the file is served. This could allow an attacker to access sensitive files on the server. Recommendation Upgrade to version 0.40.3...

Directory Traversal

Overview Versions of serve before 7.1.3 are vulnerable to Directory Traversal. File paths are not sanitized leading to unauthorized access of system files. Recommendation Upgrade to version 7.1.3 or later References - HackerOne Report - GitHub Advisory...

Sensitive Data Exposure

Overview All versions of rails-session-decoder are missing verification of the Message Authentication Code appended to the cookies. This may lead to decryption of cipher text thus exposing encrypted information. Recommendation No fix is currently available. Consider using an alternative module...

Code Injection

Overview All versions of cryo are vulnerable to code injection due to an Insecure implementation of deserialization. Proof of concept var Cryo = require'cryo'; var frozen = '"root":"CRYOREF3","references":"contents":,"value":"CRYOFUNCTIONfunction console.log\"defconrussia\"; return...

Remote Memory Exposure

Overview Versions of floody before 0.1.1 are vulnerable to remote memory exposure. .writenumber in the affected floody versions passes a number to Buffer constructor, appending a chunk of uninitialized memory. Proof of Concept: var f = require'floody'process.stdout; f.writeUSERSUPPLIEDINPUT;...

Memory Exposure

Overview Versions of concat-stream before 1.5.2 are vulnerable to memory exposure if userp provided input is passed into write Versions 1.3.0 are not affected due to not using unguarded Buffer constructor. Recommendation Update to version 1.5.2, 1.4.11, 1.3.2 or later. If you are unable to update...

Prototype Pollution

Overview Versions of merge-deep before 3.0.1 are vulnerable to prototype pollution via merging functions. Recommendation Update to version 3.0.1 or later. References - HackerOne Report - GitHub Advisory...

Prototype Pollution

Overview Versions of assign-deep before 0.4.7 are vulnerable to prototype pollution via merging functions. Recommendation Update to version 0.4.7 or later. References - HackerOne Report - GitHub Advisory...

Hijacked Environment Variables

Overview The node-opensl package is a piece of malware that steals environment variables and sends them to attacker controlled locations. All versions have been unpublished from the npm registry. Recommendation As this package is malware, if you find it installed in your environment, the real...

Hijacked Environment Variables

Overview The mssql.js package is a piece of malware that steals environment variables and sends them to attacker controlled locations. All versions have been unpublished from the npm registry. Recommendation As this package is malware, if you find it installed in your environment, the real securi...

Directory Traversal

Overview Affected versions of unicorn-list resolve relative file paths, resulting in a directory traversal vulnerability. A malicious actor can use this vulnerability to access files outside of the intended directory root, which may result in the disclosure of private files on the vulnerable...

Directory Traversal

Overview Affected versions of goserv resolve relative file paths, resulting in a directory traversal vulnerability. A malicious actor can use this vulnerability to access files outside of the intended directory root, which may result in the disclosure of private files on the vulnerable system...

Directory Traversal

Overview Affected versions of myserver.alexcthomas18 resolve relative file paths, resulting in a directory traversal vulnerability. A malicious actor can use this vulnerability to access files outside of the intended directory root, which may result in the disclosure of private files on the...

Directory Traversal

Overview Affected versions of simple-npm-registry resolve relative file paths, resulting in a directory traversal vulnerability. A malicious actor can use this vulnerability to access files outside of the intended directory root, which may result in the disclosure of private files on the vulnerab...

Directory Traversal

Overview Affected versions of censorify.tanisjr resolve relative file paths, resulting in a directory traversal vulnerability. A malicious actor can use this vulnerability to access files outside of the intended directory root, which may result in the disclosure of private files on the vulnerable...

Directory Traversal

Overview Affected versions of liyujing resolve relative file paths, resulting in a directory traversal vulnerability. A malicious actor can use this vulnerability to access files outside of the intended directory root, which may result in the disclosure of private files on the vulnerable system...

Directory Traversal

Overview Affected versions of rtcmulticonnection-client resolve relative file paths, resulting in a directory traversal vulnerability. A malicious actor can use this vulnerability to access files outside of the intended directory root, which may result in the disclosure of private files on the...

Downloads Resources over HTTP

Overview Affected versions of haxe-dev insecurely download an executable over an unencrypted HTTP connection. In scenarios where an attacker has a privileged network position, it is possible to intercept the response and replace the executable with a malicious one, resulting in code execution on...

Downloads Resources over HTTP

Overview Affected versions of install-g-test insecurely download resources over HTTP. In scenarios where an attacker has a privileged network position, they can modify or read such resources at will. While the exact severity of impact for a vulnerability like this is highly variable and depends o...

No CSRF Validation

Overview Affected versions of droppy are vulnerable to cross-site socket forgery. The package does not perform verification for cross-domain websocket requests, and as a result, an attacker can create a web page that opens up a websocket connection on behalf of the user visiting the page. The...

Forgeable Public/Private Tokens

Overview Affected versions of the jws package allow users to select what algorithm the server will use to verify a provided JWT. A malicious actor can use this behaviour to arbitrarily modify the contents of a JWT while still passing verification. For the common use case of the JWT as a bearer...

Directory Traversal

Overview Versions 0.1.4 and earlier of fancy-server are vulnerable to a directory traversal attack. Standard attack vectors such as ../ will allow an attacker to read files outside of the served directory. Recommendation Upgrade to version 0.1.4 or greater. References -...

Remote Memory Exposure

Overview A buffer over-read vulnerability exists in bl 4.0.3, 3.0.1 2.2.1 and 1.2.3 which could allow an attacker to supply user input even typed that if it ends up in consume argument and can become negative, the BufferList state can be corrupted, tricking it into exposing uninitialized memory v...

Regular Expression Denial of Service

Overview All versions of url-regex are vulnerable to a Regular Expression Denial of Service. An attacker providing a very long string in String.test can cause a Denial of Service. Recommendation There are no patches and the software is not currently maintained. The security researcher who found t...

Information Exposure

Overview Versions of apollo-server-azure-functions prior to 2.14.2 are vulnerable to Information Exposure. The package does not properly enforce validation rules when creating subscription servers, which includes a NoInstrospection rule for the Websocket. This leaks the GraphQL schema types, thei...

Path Traversal

Overview Versions of next prior to 9.3.2 are vulnerable to Path Traversal. The package failed to restrict access to arbitrary files inside the dist directory through specially-crafted HTTP requests. It is not possible to access files outside of the dist directory. Recommendation Upgrade to versio...

Prototype Pollution

Overview All versions of subtext are vulnerable to Prototype Pollution. A multipart payload can be constructed in a way that one of the parts’ content can be set as the entire payload object’s prototype. If this prototype contains data, it may bypass other validation rules which enforce access an...

Validation Bypass

Overview Versions of slp-validate prior to 1.0.1 are vulnerable to a validation bypass. Bitcoin scripts may cause the validation result from slp-validate to differ from the specified SLP consensus. This allows an attacker to create a Bitcoin script that causes a hard-fork from the SLP consensus...

Malicious 󠅮󠅰󠅭Package

Overview All versions of this package contained malware. The package was designed to find and exfiltrate cryptocurrency wallets. Recommendation Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...

Malicious 󠅮󠅰󠅭Package

Overview All versions of this package contained malware. The package was designed to find and exfiltrate cryptocurrency wallets. Recommendation Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...

Regular Expression Denial of Service

Overview Versions of csv-parse prior to 4.4.6 are vulnerable to Regular Expression Denial of Service. The isInt function contains a malformed regular expression that processes large specially-crafted input very slowly, leading to a Denial of Service. This is triggered when using the cast option...

Cross-Site Scripting

Overview Versions of webtorrent prior to 0.107.6 are vulnerable to Cross-Site Scripting. webtorrent servers started with torrent.createServer lists a torrent's title and files in the index page without sanitization. This allows attackers to execute arbitrary JavaScript in the victim's browser...

Cross-Site Scripting

Overview Versions of selectize-plugin-a11y prior to 1.1.0 are vulnerable to Cross-Site Scripting. The accessibility.liveRegion.speak function does not sanitize the msg variable before rendering it as HTML. If this variable is controlled by user input it allows attackers to execute arbitrary...

Arbitrary File Read

Overview html-pdf before version 3.0.1 is vulnerable to Arbitrary File Read. The package fails to sanitize the HTML input, allowing attackers to exfiltrate server files by supplying malicious HTML code. XHR requests in the HTML code are executed by the server. Input with an XHR request such as...