Path Traversal

Overview Versions of serve prior to 10.1.2 are vulnerable to Path Traversal. Explicitly ignored folders can be accessed through relative paths, which allows attackers to access hidden folders and files. Recommendation Upgrade to version 10.1.2 or later. References - HackerOne Report - GitHub...

Command Injection

Overview All versions of wxchangba are vulnerable to Command Injection. The package does not validate user input on the reqPostMaterial function, passing contents of the file parameter to an exec call. This may allow attackers to run arbitrary commands in the system. Recommendation No fix is...

Cross-Site Scripting

Overview Versions of ids-enterprise prior to 4.18.2 are vulnerable to Cross-Site Scripting XSS. The soho-dropdown component does not properly encode its output and may allow attackers to execute arbitrary JavaScript. Recommendation Upgrade to version 4.18.2 or later References - GitHub Issue -...

Malicious Package

Overview Versions 2.4.3 and 2.4.2 of react-datepicker-plus contained malicious code. The code when executed in the browser would enumerate password, cvc and cardnumber fields from forms and send the extracted values to https://js-metrics.com/minjs.php?pl= Recommendation Remove the package from yo...

Malicious Package

Overview All versions of shrugging-logging contain malicious code as a postinstall script. The package fetches all names of npm packages owned by the user and attempts to add another maintainer to every package as a means of package hijacking, Recommendation Remove the package from your system. I...

Denial of Service

Overview Versions of ipfs-bitswap prior to 0.24.1 are vulnerable to Denial of Service DoS. The package put unwanted blocks in the blockstore, which could be used to exhaust system resources in specific conditions. Recommendation Upgrade to version 0.24.1 or later. References - GitHub PR - Snyk...

Cross-Site Scripting

Overview Versions of ag-grid-community prior to 14.0.0 are vulnerable to Cross-Site Scripting XSS. Grid contents are not properly sanitized and may allow attackers to execute arbitrary JavaScript if user input is rendered in the grid. Recommendation Upgrade to version 14.0.0 or later References -...

Malicious Package

Overview All versions of requset typosquatted a popular package of similar name and tracked users who had installed the incorrect package. The package uploaded information to a remote server including: name of the downloaded package, name of the intended package, the Node version and whether the...

Malicious Package

Overview All versions of reuest typosquatted a popular package of similar name and tracked users who had installed the incorrect package. The package uploaded information to a remote server including: name of the downloaded package, name of the intended package, the Node version and whether the...

Malicious Package

Overview All versions of asnc typosquatted a popular package of similar name and tracked users who had installed the incorrect package. The package uploaded information to a remote server including: name of the downloaded package, name of the intended package, the Node version and whether the...

Malicious Package

Overview All versions of wepack-cli typosquatted a popular package of similar name and tracked users who had installed the incorrect package. The package uploaded information to a remote server including: name of the downloaded package, name of the intended package, the Node version and whether t...

Cross-Site Scripting

Overview Versions of @nuxt/devalue prior to 1.2.3 are vulnerable to Cross-Site Scripting. Due to insufficient input sanitization attacker may inject arbitrary JavaScript code through object keys. Recommendation Upgrade to version 1.2.3 or later. References - GitHub Issue - GitHub Advisory...

Cross-Site Scripting

Overview All versions of harp are vulnerable to Cross-Site Scripting. Due to misconfiguration of its rendering engine, harp does not sanitize the HTML output allowing attackers to run arbitrary JavaScript when processing malicious files. Recommendation No fix is currently available. Consider usin...

Denial of Service

Overview Versions of canvas prior to 1.6.10 are vulnerable to Denial of Service. Processing malicious JPEGs or GIFs could crash the node process. Recommendation Upgrade to version 1.6.10 References - HackerOne Report - GitHub Advisory...

Path Traversal

Overview Versions of http-live-simulator prior to 1.0.6 are vulnerable to Path Traversal. Due to insufficient input sanitization, attackers can access server files by using relative paths. Recommendation Upgrade to version 1.0.6 References - HackerOne Report - GitHub Advisory...

Regular Expression Denial of Service

Overview Version of clean-css prior to 4.1.11 are vulnerable to Regular Expression Denial of Service ReDoS. Untrusted input may cause catastrophic backtracking while matching regular expressions. This can cause the application to be unresponsive leading to Denial of Service. Recommendation Upgrad...

Cross-Site Scripting

Overview All versions of md-data-table are vulnerable to cross-site scripting XSS. This vulnerability is exploitable if an attacker has control over data that is rendered by mdt-row Recommendation As there is no fix for this vulnerability at this time we recommend either selecting another package...

Missing Origin Validation

Overview Versions of browserify-hmr prior to 0.4.0 are missing origin validation on the websocket server. This vulnerability allows a remote attacker to steal a developer's source code because the origin of requests to the websocket server that is used for Hot Module Replacement HMR are not...

NoSQL injection

Overview Versions of express-cart before 1.1.8 are vulnerable to NoSQL injection. The vulnerability is caused by the lack of user input sanitization in the login handlers. In both cases, the customer login and the admin login, parameters from the JSON body are sent directly into the MongoDB query...

Malicious Package

Overview Version 1.0.1 of simple-alipay contained malicious code. The code when executed in the browser would enumerate password, cvc, cardnumber fields from forms and send the extracted values to https://js-metrics.com/minjs.php?pl= Recommendation If version 1.0.1 of this module is found install...

Malicious Package

Overview Version 0.0.3 of jasmin contained malicious code. The code when executed in the browser would enumerate password, cvc, cardnumber fields from forms and send the extracted values to https://js-metrics.com/minjs.php?pl= Recommendation If version 0.0.3 of this module is found installed you...

Cross-Site Scripting

Overview Versions of mrk.js before 2.0.1 are vulnerable to cross-site scripting XSS when markdown is converted to HTML. Recommendation Update to version 2.0.1 or later and use mark.sanitizeURL for any src and href attributes when extending the markdown. References - GitHub PR 3 - GitHub Advisory...

Information Exposure

Overview Versions of apollo-server-hapi prior to 2.14.2 are vulnerable to Information Exposure. The package does not properly enforce validation rules when creating subscription servers, which includes a NoInstrospection rule for the Websocket. This leaks the GraphQL schema types, their relations...

Information Exposure

Overview Versions of apollo-server prior to 2.14.2 are vulnerable to Information Exposure. The package does not properly enforce validation rules when creating subscription servers, which includes a NoInstrospection rule for the Websocket. This leaks the GraphQL schema types, their relations and...

Command Injection

Overview All versions of git-tags-remote are vulnerable to Command Injection. The package fails to sanitize the repository input and passes it directly to an exec call on the get function . This may allow attackers to execute arbitrary code in the system if the repo value passed to the function i...

Regular Expression Denial of Service

Overview Versions of papaparse prior to 5.2.0 are vulnerable to Regular Expression Denial of Service ReDos. The parse function contains a malformed regular expression that takes exponentially longer to process non-numerical inputs. This allows attackers to stall systems and lead to Denial of...

Malicious 󠅮󠅰󠅭Package

Overview All versions of m-backdoor contain malicious code. The package downloads a file from a remote server and executes it as a preinstall script. At the time of the release of this advisory the downloaded file only defaces websites by removing elements randomly from the DOM. Recommendation...

Buffer Overflow

Overview Affected versions of node-weakauras-parser are vulnerable to a Buffer Overflow. The encodeweakaura function fails to properly validate the input size. A buffer of 13835058055282163711 bytes causes an overflow on 64-bit systems. Recommendation Upgrade to versions 1.0.5, 2.0.2, 3.0.1 or...

Regular Expression Denial of Service

Overview Affected versions of acorn are vulnerable to Regular Expression Denial of Service. A regex in the form of /x-\ud800/u causes the parser to enter an infinite loop. The string is not valid UTF16 which usually results in it being sanitized before reaching the parser. If an application...

Denial of Service

Overview Version 5.1.1 of @commercial/subtext is vulnerable to Denial of Service. The Content-Encoding HTTP header parser has a vulnerability which will cause the function to throw a system error if the header contains some invalid values. Because hapi rethrows system errors as opposed to catchin...

Denial of Service

Overview Versions of @hapi/subtext prior to 6.1.3 or 7.0.3 are vulnerable to Denial of Service. The Content-Encoding HTTP header parser has a vulnerability which will cause the function to throw a system error if the header contains some invalid values. Because hapi rethrows system errors as...

Denial of Service

Overview Versions of @commercial/ammo prior to 2.1.1 are vulnerable to Denial of Service. The Range HTTP header parser has a vulnerability which will cause the function to throw a system error if the header is set to an invalid value. Because hapi is not expecting the function to ever throw, the...

Cross-Site Scripting

Overview Versions of nextcloud-vue-collections prior to 0.4.2 are vulnerable to Cross-Site Scripting XSS. The v-tooltip component has an insecure defaultHTML configuration that allows arbitrary JavaScript to be injected in the tooltip of a collection item. This allows attackers to execute arbitra...

Command Injection

Overview Versions of hot-formula-parser prior to 3.0.1 are vulnerable to Command Injection. The package fails to sanitize values passed to the parse function and concatenates it in an eval call. If a value of the formula is supplied by user-controlled input it may allow attackers to run arbitrary...

Global node_modules Binary Overwrite

Overview Versions of bin-links prior to 1.1.6 are vulnerable to a Global nodemodules Binary Overwrite. It fails to prevent globally-installed binaries to be overwritten by other package installs. For example, if a package was installed globally and created a serve binary, any subsequent installs ...

Outdated Static Dependency

Overview Versions of vue-moment prior to 4.1.0 contain an Outdated Static Dependency. The package depends on moment and has it loaded statically instead of as a dependency that can be updated. It has [email protected] that contains a Regular Expression Denial of Service vulnerability. Recommendation...

Malicious 󠅮󠅰󠅭Package

Overview All versions of this package contained malware. The package was designed to find and exfiltrate cryptocurrency wallets. Recommendation Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...

Malicious 󠅮󠅰󠅭Package

Overview All versions of this package contained malware. The package was designed to find and exfiltrate cryptocurrency wallets. Recommendation Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...

Malicious 󠅮󠅰󠅭Package

Overview All versions of this package contained malware. The package was designed to find and exfiltrate cryptocurrency wallets. Recommendation Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...

Malicious 󠅮󠅰󠅭Package

Overview All versions of this package contained malware. The package was designed to find and exfiltrate cryptocurrency wallets. Recommendation Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...

Sandbox Breakout / Arbitrary Code Execution

Overview Versions of pitboss-ng prior to 2.0.0 are vulnerable to Sandbox Escape leading to Remote Code Execution. The package fails to restrict access to the main context through this.constructor.constructor . This may allow attackers to execute arbitrary code in the system. Evaluating the payloa...

Prototype Pollution

Overview Affected versions of @polymer/polymer are vulnerable to prototype pollution. The package fails to prevent modification of object prototypes through chart options containing a payload such as "proto": "polluted": true. It is possible to achieve the same results if a chart loads data from ...

Path Traversal

Overview All versions of statics-server are vulnerable to Path Traversal. The package fails to limit access to files outside of the served folder through symlinks. Recommendation No fix is currently available. Do not use statics-server in production or consider using an alternative module until a...

Malicious Package

Overview Version 0.8.0 contained malicious code. The package targeted the Ethereum cryptocurrency and performed transactions to wallets not controlled by the user. Recommendation Remove the package from your environment. Ensure no Ethereum funds were compromised. References GitHub Advisory...

Malicious Package

Overview Version 2.0.2 contained malicious code. The package targeted the Ethereum cryptocurrency and performed transactions to wallets not controlled by the user. Recommendation Remove the package from your environment. Ensure no Ethereum funds were compromised. References GitHub Advisory...

Sandbox Breakout / Arbitrary Code Execution

Overview All versions of safer-eval are vulnerable to Sandbox Escape leading to Remote Code Execution. It is possible to escape the sandbox by forcing exceptions recursively in the evaluated code. This may allow attacker to execute arbitrary code in the system. Recommendation The package is not...

Malicious Package

Overview Version 0.0.1 of harmlesspackage contains malicious code as a postinstall script. The package printed a message to the console and performed a GET request to a remote server. Recommendation Remove the package from your environment. There is no evidence of further compromise. References...

Sandbox Breakout

Overview Versions of realms-shim prior to 1.2.0 are vulnerable to a Sandbox Breakout. The package has an uncaught exception that may allow an attacker to break out of the sandbox by catching the exception and using the caught Exception object. Recommendation Upgrade to version 1.2.0 or later...

Malicious Package

Overview Version 1.0.6 of @fangrong/xoc contained malicious code. The code when executed in the browser would enumerate password, cvc, cardnumber fields from forms and send the extracted values to https://js-metrics.com/minjs.php?pl= Recommendation Remove the package from your environment. It's...

Prototype Pollution

Overview Versions of lodash.defaultsdeep before 4.6.1 are vulnerable to prototype pollution. The function mergeWith may allow a malicious user to modify the prototype of Object via constructor: prototype: ... causing the addition or modification of an existing property that will exist on all...