1635 matches found
Prototype Pollution
Overview Versions of jquery prior to 3.4.0 are vulnerable to Prototype Pollution. The extend method allows an attacker to modify the prototype for Object causing changes in properties that will exist on all objects. Recommendation Upgrade to version 3.4.0 or later. References - HackerOne Report -...
Directory Traversal
Overview Affected versions of serve-here resolve relative file paths, resulting in a directory traversal vulnerability. A malicious actor can use this vulnerability to access files outside of the intended directory root, which may result in the disclosure of private files on the vulnerable system...
LDAP Injection
Overview Versions 2.3.2 and earlier of ldapauth-fork are affected by an LDAP injection vulnerability. This allows an attacker to inject and run arbitrary LDAP commands via the username parameter. Recommendation Update to ldapauth-fork version 2.3.3 or later. References -...
Prototype Pollution
Overview Versions of lodash before 4.17.5 are vulnerable to prototype pollution. The vulnerable functions are 'defaultsDeep', 'merge', and 'mergeWith' which allow a malicious user to modify the prototype of Object via constructor: prototype: ... causing the addition or modification of an existing...
Arbitrary File Creation/Overwrite via insufficient symlink protection due to directory cache poisoning
Overview The tar package has a high severity vulnerability before versions 3.2.3, 4.4.15, 5.0.7, and 6.1.2. Impact Arbitrary File Creation, Arbitrary File Overwrite, Arbitrary Code Execution node-tar aims to prevent extraction of absolute file paths by turning absolute paths into relative paths...
Prototype Pollution
Overview Versions of lodash prior to 4.17.19 are vulnerable to Prototype Pollution. The function zipObjectDeep allows a malicious user to modify the prototype of Object if the property identifiers are user-supplied. Being affected by this issue requires zipping objects based on user-provided...
Regular Expression Denial of Service
Overview trim-newlines before 3.0.1 and 4.x before 4.0.1 for Node.js has an issue related to regular expression denial-of-service ReDoS for the .end method. Recommendation Upgrade to versions 3.0.1 or 4.0.1 or later References - CVE - GitHub Advisory...
Command Injection
Overview Affected versions of dns-sync have an arbitrary command execution vulnerability in the resolve method. Recommendation - Use an alternative dns resolver - Do not allow untrusted input into dns-sync.resolve References - Issue 1 - Commit d9abaae...
Regular Expression Denial of Service
Overview Affected versions of no-case are vulnerable to a regular expression denial of service when parsing untrusted user input. Recommendation Update to version 2.3.2 or later. References - Issue 17 - GitHub Advisory...
Regular Expression Denial of Service
Overview postcss from 7.0.0 and before version 7.0.36 and 8.2.10 is vulnerable to Regular Expression Denial of Service ReDoS during source map parsing. Recommendation Upgrade to version 8.2.10 or later References - CVE - GitHub Advisory...
Cross-Site Scripting
Overview Versions of angular prior to 1.5.0-beta.1 are vulnerable to Cross-Site Scripting. The package fails to sanitize xlink:href attributes, which may allow attackers to execute arbitrary JavaScript in a victim's browser if the value is user-controlled. Recommendation Upgrade to version...
Arbitrary Code Injection
Overview In xmlhttprequest-ssl before 1.6.2 when requests are sent synchronously async=False on xhr.open, malicious user input flowing into xhr.send could result in arbitrary code being injected and run. Recommendation Upgrade to version 1.6.2 or later References CVE GitHub Advisory...
Arbitrary Code Execution
Overview math.js before 3.17.0 had an issue where private properties such as a constructor could be replaced by using unicode characters when creating an object. Recommendation Upgrade to version 3.17.0 or later. References - Commit a60f3c8 -...
Github Token Leak
Overview Affected versions of aegir bundle and publish the current users github token to npm when aegir-release is executed. Recommendation Update to version 12.0.8 or later. If you used this module to do a release for your project you should invalidate the GitHub tokens that were leaked...
Type confusion
Overview In mpath before 0.8.4 a type confusion vulnerability can lead to a bypass of CVE-2018-16490. In particular, the condition ignoreProperties.indexOfpartsi !== -1 returns -1 if partsi is 'proto'. This is because the method that has been called if the input is an array is...
Regular Expression Denial of Service
Overview In affected versions of marked, a Denial of Service attack can affect anyone who processes user generated code. Recommendation Upgrade to version 2.0.0 or later References - GitHub Advisory - CVE...
Path Traversal
Overview Versions of resolve-path before 1.4.0 are vulnerable to path traversal. resolve-path relative path resolving suffers from a lack of file path sanitization for windows based paths. Recommendation Update to version 1.4.0 or later. References - HackerOne Report - GitHub Advisory...
Regular Expression Denial of Service in trim
Overview Versions of trim lower than 0.0.3 are vulnerable to Regular Expression Denial of Service ReDoS via trim. Recommendation Upgrade to version 0.0.3 or later References - CVE - GitHub Advisory...
Command Injection
Overview nodemailer before version 6.4.16 is vulnerable to command injection. Use of crafted recipient email addresses may result in arbitrary command flag injection in sendmail transport for sending mails. Recommendation Upgrade to version 6.4.16 or later References - CVE - GitHub Advisory...
Fastify denial-of-service vulnerability with large JSON payloads
Overview Affected versions of fastify are vulnerable to a denial of service when processing a request with Content-Type set to application/json and a very large payload. Recommendation Update to version 0.38.0 or later. References - Commit fabd2a0 - HackerOne Report 303632 - GitHub Advisory...
Prototype Pollution
Overview Versions of lodash before 4.17.5 are vulnerable to prototype pollution. The vulnerable functions are 'defaultsDeep', 'merge', and 'mergeWith' which allow a malicious user to modify the prototype of Object via proto causing the addition or modification of an existing property that will...
Arbitrary Code Execution
Overview math.js before 3.17.0 had an arbitrary code execution in the JavaScript engine. Creating a typed function with JavaScript code in the name could result arbitrary execution. Recommendation Update to version 3.17.0 or later. References -...
Regular Expression Denial of Service
Overview In websocket-extensions before version 0.1.4, there is a vulnerability which allows an attacker to exhaust the server's capacity to process incoming requests by sending a WebSocket handshake request containing a header of the following form: Sec-WebSocket-Extensions: a;...
Prototype Pollution
Overview Overview Affected versions of immer are vulnerable to Prototype Pollution. Proof of exploit const applyPatches, enablePatches = require"immer"; enablePatches; let obj = ; console.log"Before : " + obj.polluted; applyPatches, op: 'add', path: "proto", "polluted" , value: "yes" ; //...
Prototype Pollution in node-forge
Overview The package node-forge before 0.10.0 is vulnerable to Prototype Pollution via the util.setPath function. Note: Version 0.10.0 is a breaking change removing the vulnerable functions. Recommendation Upgrade to version 0.10.0 or later. References -...
Open Redirect in Next.js
Overview In next aka Next.js before version 11.1.0 there is an Open Redirect vulnerability. Impact - Affected: Users of Next.js between 10.0.5 and 10.2.0 - Affected: Users of Next.js between 11.0.0 and 11.0.1 using pages/error.js without getInitialProps - Affected: Users of Next.js between 11.0.0...
Regular Expression Denial of Service (ReDoS)
Overview jspdf before version 2.3.1 has a regular expression denial-of-service via the addImage function. Recommendation Upgrade to version 2.3.1 or later References - CVE - GitHub Advisory...
Prototype Poisoning
Overview Impact When msgpack5 decodes a map containing a key "proto", it assigns the decoded value to proto. As you are no doubt aware, Object.prototype.proto is an accessor property for the receiver's prototype. If the value corresponding to the key proto decodes to an object or null, msgpack5...
Prototype Pollution
Overview "The package grpc before 1.24.4 and the package @grpc/grpc-js before 1.1.8 are vulnerable to Prototype Pollution via loadPackageDefinition." Recommendation Upgrade to version 1.1.8 or later References - CVE - GitHub Advisory...
Exfiltrates data on installation
Overview The cofee-script package is a piece of malware that steals sensitive data such as a user's private SSH key and bash history, sending them to attacker controlled locations. All versions have been unpublished from the npm registry. Recommendation If you have found cofee-script installed in...
Denial of Service
Overview SheetJS Pro through 0.16.9 allows attackers to cause a denial of service CPU consumption via a crafted .xlsx document that is mishandled when read by xlsx.js. Recommendation Upgrade to version 0.17.0 or later References - GitHub Advisory - CVE...
Improper Authentication
Overview The Utils.readChallengeTx function used in SEP-10 Stellar Web Authentication states in its function documentation that it reads and validates the challenge transaction including verifying that the serverAccountID has signed the transaction. The function does not verify that the server ha...
Open Redirect
Overview Slashify is an Express middleware that normalises routes by stripping any final slash, redirecting, for example, bookings/latest/ to bookings/latest. However, it does not validate the path it redirects to in any way. In particular, if the path starts with two slashes or two backslashes, ...
Universal XSS in Android WebView
Overview A universal cross-site scripting UXSS vulnerability, CVE-2020-6506 https://crbug.com/1083819, has been identified in the Android WebView system component, which allows cross-origin iframes to execute arbitrary JavaScript in the top-level document. This vulnerability affects React Native...
Denial of Service
Overview Affected versions of mqtt do not properly handle PUBLISH packets returning from the server, leading to a Denial of Service condition. The vulnerability is completely mitigated if the only connected servers are trusted, guaranteed not to be under the control of a malicious actor. Proof of...
Exfiltrates data on installation
Overview The jquey package is malware that attempts to discover and exfiltrate sensitive data such as a user's private SSH key and bash history, sending them to attacker controlled locations. All versions have been unpublished from the npm registry. Recommendation If you have found jquey installe...
Exfiltrates data on installation
Overview The coffe-script package is a piece of malware that steals sensitive data such as a user's private SSH key and bash history, sending them to attacker controlled locations. All versions have been unpublished from the npm registry. Recommendation If you have found coffe-script installed in...
Command Injection
Overview The systeminformation package is an open source collection of functions to retrieve detailed hardware, system and OS information. In affected versions of systeminformation there is a command injection vulnerability. As a workaround instead of upgrading, be sure to check or sanitize servi...
Arbitrary JavaScript Execution
Overview In affected versions of less-openui5 processing untrusted theming resources might execute arbitrary code. Impact When processing theming resources i.e. .less files with less-openui5 that originate from an untrusted source, those resources might contain JavaScript code which will be...
Prototype Pollution
Overview Affected versions of jointjs are vulnerable to Prototype Pollution via util.setByPath. The path used the access the object's key and set the value is not properly sanitized, leading to a Prototype Pollution. Recommendation Update to fixed version 3.3.0 or later References - GitHub Adviso...
Hostname spoofing via backslashes in URL
Overview Impact If using affected versions to determine a URL's hostname, the hostname can be spoofed by using a combination of backslash \ and slash / characters as part of the scheme delimiter, e.g. scheme:///\hostname. If the hostname is used in security decisions, the decision may be...
Insecure Default Configuration
Overview Affected versions of socket.io are vulnerable to Insecure Defaults due to CORS Misconfiguration. All domains are whitelisted by default. Recommendation Update to version 2.4.0 or later. References - GitHub Advisory - Snyk Advisory...
ReDoS via long UserAgent header
Overview Affected versions of ua-parser are vulnerable to regular expression denial of service when given a specially crafted User-Agent header. Recommendation No patch is currently available for this vulnerability. The best mitigation is currently to avoid using this package, using a different,...
Symlink Arbitrary File Overwrite
Overview Versions of tar prior to 2.0.0 are affected by an arbitrary file write vulnerability. The vulnerability occurs because tar does not verify that extracted symbolic links to not resolve to targets outside of the extraction root directory. Recommendation Update to version 2.0.0 or later...
DoS due to excessively large websocket message
Overview Affected versions of ws do not appropriately limit the size of incoming websocket payloads, which may result in a denial of service condition when the node process crashes after receiving a large payload. Recommendation Update to version 1.1.1 or later. Alternatively, set the maxpayload...
Prototype Pollution
Overview There is a prototype pollution vulnerability in gsap which affects all versions before 3.6.0. Recommendation Upgrade to 3.6.0 or later References - GitHub Advisory - Snyk Advisory...
ReDoS via long string of semicolons
Overview Affected versions of tough-cookie may be vulnerable to regular expression denial of service when long strings of semicolons exist in the Set-Cookie header. Recommendation Update to version 2.3.0 or later. References GitHub Advisory...
Malicious Package
Overview All versions of plutov-slack-client contain malicious code. Upon installation the package opens a shell to a remote server. The package affects both Windows and nix systems. Recommendation Any computer that has this package installed or running should be considered fully compromised. All...
Exfiltrates data on installation
Overview The coffescript package is a piece of malware that steals sensitive data such as a user's private SSH key and bash history, sending them to attacker controlled locations. All versions have been unpublished from the npm registry. Recommendation If you have found coffescript installed in...
Exfiltrates data on installation
Overview The cofeescript package is a piece of malware that steals sensitive data such as a user's private SSH key and bash history, sending them to attacker controlled locations. All versions have been unpublished from the npm registry. Recommendation If you have found cofeescript installed in...