Directory Traversal

Overview Affected versions of bitty are vulnerable to directory traversal via the URL path in GET requests. Recommendation The bitty package is not currently maintained, and has not seen an update since 2015. At this time, the best available mitigation is to use an alternative module that is...

Prototype Pollution

Overview Versions of jquery prior to 3.4.0 are vulnerable to Prototype Pollution. The extend method allows an attacker to modify the prototype for Object causing changes in properties that will exist on all objects. Recommendation Upgrade to version 3.4.0 or later. References - HackerOne Report -...

Regular Expression Denial of Service

Overview trim-newlines before 3.0.1 and 4.x before 4.0.1 for Node.js has an issue related to regular expression denial-of-service ReDoS for the .end method. Recommendation Upgrade to versions 3.0.1 or 4.0.1 or later References - CVE - GitHub Advisory...

Prototype Pollution

Overview Versions of lodash prior to 4.17.19 are vulnerable to Prototype Pollution. The function zipObjectDeep allows a malicious user to modify the prototype of Object if the property identifiers are user-supplied. Being affected by this issue requires zipping objects based on user-provided...

LDAP Injection

Overview Versions 2.3.2 and earlier of ldapauth-fork are affected by an LDAP injection vulnerability. This allows an attacker to inject and run arbitrary LDAP commands via the username parameter. Recommendation Update to ldapauth-fork version 2.3.3 or later. References -...

Directory Traversal

Overview Affected versions of serve-here resolve relative file paths, resulting in a directory traversal vulnerability. A malicious actor can use this vulnerability to access files outside of the intended directory root, which may result in the disclosure of private files on the vulnerable system...

Prototype Pollution

Overview Versions of lodash before 4.17.5 are vulnerable to prototype pollution. The vulnerable functions are 'defaultsDeep', 'merge', and 'mergeWith' which allow a malicious user to modify the prototype of Object via constructor: prototype: ... causing the addition or modification of an existing...

Arbitrary File Creation/Overwrite via insufficient symlink protection due to directory cache poisoning

Overview The tar package has a high severity vulnerability before versions 3.2.3, 4.4.15, 5.0.7, and 6.1.2. Impact Arbitrary File Creation, Arbitrary File Overwrite, Arbitrary Code Execution node-tar aims to prevent extraction of absolute file paths by turning absolute paths into relative paths...

Command Injection

Overview Affected versions of dns-sync have an arbitrary command execution vulnerability in the resolve method. Recommendation - Use an alternative dns resolver - Do not allow untrusted input into dns-sync.resolve References - Issue 1 - Commit d9abaae...

Regular Expression Denial of Service

Overview Affected versions of no-case are vulnerable to a regular expression denial of service when parsing untrusted user input. Recommendation Update to version 2.3.2 or later. References - Issue 17 - GitHub Advisory...

Regular Expression Denial of Service

Overview postcss from 7.0.0 and before version 7.0.36 and 8.2.10 is vulnerable to Regular Expression Denial of Service ReDoS during source map parsing. Recommendation Upgrade to version 8.2.10 or later References - CVE - GitHub Advisory...

Arbitrary Code Injection

Overview In xmlhttprequest-ssl before 1.6.2 when requests are sent synchronously async=False on xhr.open, malicious user input flowing into xhr.send could result in arbitrary code being injected and run. Recommendation Upgrade to version 1.6.2 or later References CVE GitHub Advisory...

Regular Expression Denial of Service

Overview In affected versions of marked, a Denial of Service attack can affect anyone who processes user generated code. Recommendation Upgrade to version 2.0.0 or later References - GitHub Advisory - CVE...

Cross-Site Scripting

Overview Versions of angular prior to 1.5.0-beta.1 are vulnerable to Cross-Site Scripting. The package fails to sanitize xlink:href attributes, which may allow attackers to execute arbitrary JavaScript in a victim's browser if the value is user-controlled. Recommendation Upgrade to version...

Github Token Leak

Overview Affected versions of aegir bundle and publish the current users github token to npm when aegir-release is executed. Recommendation Update to version 12.0.8 or later. If you used this module to do a release for your project you should invalidate the GitHub tokens that were leaked...

Type confusion

Overview In mpath before 0.8.4 a type confusion vulnerability can lead to a bypass of CVE-2018-16490. In particular, the condition ignoreProperties.indexOfpartsi !== -1 returns -1 if partsi is 'proto'. This is because the method that has been called if the input is an array is...

Command Injection

Overview nodemailer before version 6.4.16 is vulnerable to command injection. Use of crafted recipient email addresses may result in arbitrary command flag injection in sendmail transport for sending mails. Recommendation Upgrade to version 6.4.16 or later References - CVE - GitHub Advisory...

Regular Expression Denial of Service in trim

Overview Versions of trim lower than 0.0.3 are vulnerable to Regular Expression Denial of Service ReDoS via trim. Recommendation Upgrade to version 0.0.3 or later References - CVE - GitHub Advisory...

Arbitrary Code Execution

Overview math.js before 3.17.0 had an issue where private properties such as a constructor could be replaced by using unicode characters when creating an object. Recommendation Upgrade to version 3.17.0 or later. References - Commit a60f3c8 -...

Path Traversal

Overview Versions of resolve-path before 1.4.0 are vulnerable to path traversal. resolve-path relative path resolving suffers from a lack of file path sanitization for windows based paths. Recommendation Update to version 1.4.0 or later. References - HackerOne Report - GitHub Advisory...

Prototype Pollution

Overview Overview Affected versions of immer are vulnerable to Prototype Pollution. Proof of exploit const applyPatches, enablePatches = require"immer"; enablePatches; let obj = ; console.log"Before : " + obj.polluted; applyPatches, op: 'add', path: "proto", "polluted" , value: "yes" ; //...

Fastify denial-of-service vulnerability with large JSON payloads

Overview Affected versions of fastify are vulnerable to a denial of service when processing a request with Content-Type set to application/json and a very large payload. Recommendation Update to version 0.38.0 or later. References - Commit fabd2a0 - HackerOne Report 303632 - GitHub Advisory...

Arbitrary Code Execution

Overview math.js before 3.17.0 had an arbitrary code execution in the JavaScript engine. Creating a typed function with JavaScript code in the name could result arbitrary execution. Recommendation Update to version 3.17.0 or later. References -...

Regular Expression Denial of Service

Overview In websocket-extensions before version 0.1.4, there is a vulnerability which allows an attacker to exhaust the server's capacity to process incoming requests by sending a WebSocket handshake request containing a header of the following form: Sec-WebSocket-Extensions: a;...

Prototype Pollution

Overview Versions of lodash before 4.17.5 are vulnerable to prototype pollution. The vulnerable functions are 'defaultsDeep', 'merge', and 'mergeWith' which allow a malicious user to modify the prototype of Object via proto causing the addition or modification of an existing property that will...

Open Redirect in Next.js

Overview In next aka Next.js before version 11.1.0 there is an Open Redirect vulnerability. Impact - Affected: Users of Next.js between 10.0.5 and 10.2.0 - Affected: Users of Next.js between 11.0.0 and 11.0.1 using pages/error.js without getInitialProps - Affected: Users of Next.js between 11.0.0...

Prototype Pollution

Overview "The package grpc before 1.24.4 and the package @grpc/grpc-js before 1.1.8 are vulnerable to Prototype Pollution via loadPackageDefinition." Recommendation Upgrade to version 1.1.8 or later References - CVE - GitHub Advisory...

Prototype Pollution in node-forge

Overview The package node-forge before 0.10.0 is vulnerable to Prototype Pollution via the util.setPath function. Note: Version 0.10.0 is a breaking change removing the vulnerable functions. Recommendation Upgrade to version 0.10.0 or later. References -...

Exfiltrates data on installation

Overview The cofee-script package is a piece of malware that steals sensitive data such as a user's private SSH key and bash history, sending them to attacker controlled locations. All versions have been unpublished from the npm registry. Recommendation If you have found cofee-script installed in...

Prototype Poisoning

Overview Impact When msgpack5 decodes a map containing a key "proto", it assigns the decoded value to proto. As you are no doubt aware, Object.prototype.proto is an accessor property for the receiver's prototype. If the value corresponding to the key proto decodes to an object or null, msgpack5...

Symlink Arbitrary File Overwrite

Overview Versions of tar prior to 2.0.0 are affected by an arbitrary file write vulnerability. The vulnerability occurs because tar does not verify that extracted symbolic links to not resolve to targets outside of the extraction root directory. Recommendation Update to version 2.0.0 or later...

Denial of Service

Overview SheetJS Pro through 0.16.9 allows attackers to cause a denial of service CPU consumption via a crafted .xlsx document that is mishandled when read by xlsx.js. Recommendation Upgrade to version 0.17.0 or later References - GitHub Advisory - CVE...

Improper Authentication

Overview The Utils.readChallengeTx function used in SEP-10 Stellar Web Authentication states in its function documentation that it reads and validates the challenge transaction including verifying that the serverAccountID has signed the transaction. The function does not verify that the server ha...

Open Redirect

Overview Slashify is an Express middleware that normalises routes by stripping any final slash, redirecting, for example, bookings/latest/ to bookings/latest. However, it does not validate the path it redirects to in any way. In particular, if the path starts with two slashes or two backslashes, ...

Regular Expression Denial of Service

Overview In ws before versions 5.2.3, 6.2.2 and 7.4.6 there is a ReDOS vulnerability. Impact A specially crafted value of the Sec-Websocket-Protocol header can be used to significantly slow down a ws server. Proof of concept js for const length of 1000, 2000, 4000, 8000, 16000, 32000 const value ...

Command Injection

Overview The systeminformation package is an open source collection of functions to retrieve detailed hardware, system and OS information. In affected versions of systeminformation there is a command injection vulnerability. As a workaround instead of upgrading, be sure to check or sanitize servi...

Arbitrary JavaScript Execution

Overview In affected versions of less-openui5 processing untrusted theming resources might execute arbitrary code. Impact When processing theming resources i.e. .less files with less-openui5 that originate from an untrusted source, those resources might contain JavaScript code which will be...

Universal XSS in Android WebView

Overview A universal cross-site scripting UXSS vulnerability, CVE-2020-6506 https://crbug.com/1083819, has been identified in the Android WebView system component, which allows cross-origin iframes to execute arbitrary JavaScript in the top-level document. This vulnerability affects React Native...

Denial of Service

Overview Affected versions of mqtt do not properly handle PUBLISH packets returning from the server, leading to a Denial of Service condition. The vulnerability is completely mitigated if the only connected servers are trusted, guaranteed not to be under the control of a malicious actor. Proof of...

Exfiltrates data on installation

Overview The jquey package is malware that attempts to discover and exfiltrate sensitive data such as a user's private SSH key and bash history, sending them to attacker controlled locations. All versions have been unpublished from the npm registry. Recommendation If you have found jquey installe...

Regular Expression Denial of Service

Overview Affected versions of marked are vulnerable to a regular expression denial of service. The amplification in this vulnerability is significant, with 1,000 characters resulting in the event loop being blocked for around 6 seconds. Recommendation Update to version 0.3.9 or later. References ...

Prototype Pollution

Overview Affected versions of jointjs are vulnerable to Prototype Pollution via util.setByPath. The path used the access the object's key and set the value is not properly sanitized, leading to a Prototype Pollution. Recommendation Update to fixed version 3.3.0 or later References - GitHub Adviso...

Exfiltrates data on installation

Overview The coffe-script package is a piece of malware that steals sensitive data such as a user's private SSH key and bash history, sending them to attacker controlled locations. All versions have been unpublished from the npm registry. Recommendation If you have found coffe-script installed in...

Hostname spoofing via backslashes in URL

Overview Impact If using affected versions to determine a URL's hostname, the hostname can be spoofed by using a combination of backslash \ and slash / characters as part of the scheme delimiter, e.g. scheme:///\hostname. If the hostname is used in security decisions, the decision may be...

Regular Expression Denial of Service

Overview The package browserslist from 4.0.0 and before 4.16.5 are vulnerable to Regular Expression Denial of Service ReDoS during parsing of queries. Recommendation Upgrade to version 4.16.5 or later References - CVE - GitHub Advisory...

ReDoS via long UserAgent header

Overview Affected versions of ua-parser are vulnerable to regular expression denial of service when given a specially crafted User-Agent header. Recommendation No patch is currently available for this vulnerability. The best mitigation is currently to avoid using this package, using a different,...

Insecure Default Configuration

Overview Affected versions of socket.io are vulnerable to Insecure Defaults due to CORS Misconfiguration. All domains are whitelisted by default. Recommendation Update to version 2.4.0 or later. References - GitHub Advisory - Snyk Advisory...

DoS due to excessively large websocket message

Overview Affected versions of ws do not appropriately limit the size of incoming websocket payloads, which may result in a denial of service condition when the node process crashes after receiving a large payload. Recommendation Update to version 1.1.1 or later. Alternatively, set the maxpayload...

Sensitive Data Exposure

Overview The gatsby-source-wordpress plugin prior to versions 4.0.8 and 5.9.2 leaks .htaccess HTTP Basic Authentication variables into the app.js bundle during build-time. Users who are not initializing basic authentication credentials in the gatsby-config.js are not affected. Example affected...

ReDoS via long string of semicolons

Overview Affected versions of tough-cookie may be vulnerable to regular expression denial of service when long strings of semicolons exist in the Set-Cookie header. Recommendation Update to version 2.3.0 or later. References GitHub Advisory...