Remote Memory Exposure

Overview Affected versions of request will disclose local system memory to remote systems in certain circumstances. When a multipart request is made, and the type of body is number, then a buffer of that size will be allocated and sent to the remote server as the body. Proof of Concept var reques...

Sensitive Data Exposure

Overview The gatsby-source-wordpress plugin prior to versions 4.0.8 and 5.9.2 leaks .htaccess HTTP Basic Authentication variables into the app.js bundle during build-time. Users who are not initializing basic authentication credentials in the gatsby-config.js are not affected. Example affected...

Cross-Site Scripting (XSS)

Overview Affected versions of angular are vulnerable to JSONP Callback Attack. JSONP JSON with padding is a method used to request data from a server residing in a different domain than the client. Any url could perform JSONP requests, allowing full access to the browser and the JavaScript contex...

Cross-Site Scripting

Overview Cure53 DOMPurify before 2.0.17 allows mutation XSS. This occurs because a serialize-parse roundtrip does not necessarily return the original DOM tree, and a namespace can change from HTML to MathML, as demonstrated by nesting of FORM elements. Recommendation Upgrade to version 2.0.17 or...

Cross-Site Scripting

Overview Cross-site scripting XSS vulnerability in the DataTables plugin 1.10.8 and earlier for jQuery allows remote attackers to inject arbitrary web script or HTML via the scripts parameter to media/unittesting/templates/6776.php. Recommendation Update to a version greater than 1.10.8. Referenc...

Cross-Site Scripting (XSS)

Overview In affected versions of video.js, the src attribute of track tag allows to bypass HTML escaping and execute arbitrary code. Recommendation Upgrade to version 7.14.3 or later References - CVE - GitHub Advisory...

Memory Exposure

Overview This affects the package dns-packet before versions 1.3.2 and 5.2.2. It creates buffers with allocUnsafe and does not always fill them before forming network packets. This can expose internal application memory over unencrypted network when querying crafted invalid domain names...

Arbitrary Code Execution in grunt

Overview Versions of grunt before 1.3.0 are vulnerable to Arbitrary Code Execution due to the default usage of the function load instead of its secure replacement safeLoad of the package js-yaml inside grunt.file.readYAML. Recommendation Upgrade to version 1.3.0 or later References - CVE - GitHub...

Open Redirect

Overview st is a module for serving static files. An attacker is able to craft a request that results in an HTTP 301 redirect to an entirely different domain. A request for: http://some.server.com//nodesecurity.org/%2e%2e would result in a 301 to //nodesecurity.org/%2e%2e which most browsers trea...

Command Injection

Overview Affected versions of growl do not properly sanitize input prior to passing it into a shell command, allowing for arbitrary command execution. Recommendation Update to version 1.10.2 or later. References - Issue 60 - PR 61 - GitHub Advisory...

Credential leak in react-native-fast-image

Overview This affects all versions before version 8.3.0 of package react-native-fast-image. When an image with source=uri: "...", headers: host: "somehost.com", authorization: "..." is loaded, all other subsequent images will use the same headers, this can lead to signing credentials or other...

Command Injection

Overview Affected versions of fs-git do not sanitize strings passed into the buildCommand method, resulting in arbitrary code execution. Recommendation Update to version 1.0.2 or later. References - Commit eb5f70e - GitHub Advisory...

Cross-Site Scripting

Overview Affected versions of yui are vulnerable to cross-site scripting in the uploader.swf and io.swf utilities, via script injection in the url. Recommendation YUI has published their recommendation to fix this issue. Their recommendation is to: - Delete self-hosted copies of these files if yo...

Authentication Bypass

Overview Affected versions of passport-azure-ad do not recognize the validateIssuer setting, which allows remote attackers to bypass authentication via a crafted token. Recommendation Version 1.x: Update to version 1.4.6 or later. Version 2.x: Update to version 2.0.1 or later. References - Securi...

Prototype Pollution

Overview Affected versions of jszip have a prototype pollution vulnerability. Crafting a new zip file with filenames set to Object prototype values e.g proto, toString, etc results in a returned object with a modified prototype instance. Recommendation Upgrade to version 3.7.0 or later References...

Path traversal in rollup-plugin-serve

Overview Path traversal in rollup-plugin-serve before version 1.0.2. There is no path sanitization in readFile operation. Recommendation Upgrade to version 1.0.2 or later References - CVE - GitHub Advisory...

Injection in gulp-scss-lint

Overview gulp-scss-lint through 1.0.0 allows execution of arbitrary commands. It is possible to inject arbitrary commands to the "exec" function located in "src/command.js" via the provided options. Recommendation Avoid using gulp-scss-lint as there is no current safe version of this module...

Arbitrary Code Execution

Overview The package underscore from 1.13.0-0 and before 1.13.0-2, from 1.3.2 and before 1.12.1 are vulnerable to Arbitrary Code Execution via the template function, particularly when a variable property is passed as an argument as it is not sanitized. Recommendation Upgrade to versions 1.12.1 or...

Downloads Resources over HTTP

Overview Affected versions of gfe-sass insecurely download an executable over an unencrypted HTTP connection. In scenarios where an attacker has a privileged network position, it is possible to intercept the response and replace the executable with a malicious one, resulting in code execution on...

Arbitrary File Creation/Overwrite via insufficient symlink protection due to directory cache poisoning using symbolic links

Overview Impact Arbitrary File Creation, Arbitrary File Overwrite, Arbitrary Code Execution node-tar aims to guarantee that any file whose location would be modified by a symbolic link is not extracted. This is, in part, achieved by ensuring that extracted directories are not symlinks...

Regular Expression Denial of Service

Overview normalize-url package before 4.5.1, 5.x before 5.3.1, and 6.x before 6.0.1 has a ReDoS regular expression denial of service issue because it has exponential performance for data: URLs. Recommendation Upgrade to versions 4.5.1, 5.3.1, 6.0.1 or later References - CVE - GitHub Advisory...

Prototype Pollution in locutus

Overview Versions of locutus prior to 2.0.12 are vulnerable to Prototype Pollution via the php.strings.parsestr function. Recommendation Upgrade to version 2.0.12 or later References - CVE - GitHub Advisory...

Remote Code Execution

Overview Affected versions of angular-expressions are affected by a remote code execution vulnerability. Impact If you call expressions.compileuserControlledInput where userControlledInput is text that comes from user input you are potentially impacted. The security of the package could be bypass...

Cross-Site Request Forgery (CSRF)

Overview Affected versions of the fastify-csrf package are vulnerable to Cross-site Request Forgery CSRF. The generated cookie used insecure defaults, and did not have the httpOnly flag on: cookieOpts: path: '/', sameSite: true . Also, the CSRF token was available in the GET query parameter...

Directory Traversal

Overview Affected versions of node-simple-router resolve relative file paths, resulting in a directory traversal vulnerability. A malicious actor can use this vulnerability to access files outside of the intended directory root, which may result in the disclosure of private files on the vulnerabl...

Regular Expression Denial of Service

Overview In ws before versions 5.2.3, 6.2.2 and 7.4.6 there is a ReDOS vulnerability. Impact A specially crafted value of the Sec-Websocket-Protocol header can be used to significantly slow down a ws server. Proof of concept js for const length of 1000, 2000, 4000, 8000, 16000, 32000 const value ...

Cross-site scripting in jspdf

Overview In jspdf before version 2.0.0 it is possible to inject JavaScript code via the html method. Recommendation Upgrade to version 2.0.0 or later References - CVE - GitHub Advisory...

Regular Expression Denial of Service

Overview In affected versions of @ckeditor/ckeditor5-markdown-gfm a regular expression denial of service ReDoS vulnerability has been discovered. Impact The vulnerability allowed to abuse a link recognition regular expression, which could cause a significant performance drop resulting in a browse...

Regular Expression Denial of Service

Overview The GitHub Security Lab team has identified potential security vulnerabilities in jquery-validation. The project contains one or more regular expressions that are vulnerable to ReDoS Regular Expression Denial of Service Recommendation Upgrade to fixed version 1.19.3 or later References -...

Regular Expression Denial of Service

Overview Affected versions of marked are vulnerable to a regular expression denial of service. The amplification in this vulnerability is significant, with 1,000 characters resulting in the event loop being blocked for around 6 seconds. Recommendation Update to version 0.3.9 or later. References ...

Directory Traversal

Overview Affected versions of iter-server resolve relative file paths, resulting in a directory traversal vulnerability. A malicious actor can use this vulnerability to access files outside of the intended directory root, which may result in the disclosure of private files on the vulnerable syste...

Directory Traversal

Overview Affected versions of 360class.jansenhm resolve relative file paths, resulting in a directory traversal vulnerability. A malicious actor can use this vulnerability to access files outside of the intended directory root, which may result in the disclosure of private files on the vulnerable...

Directory Traversal

Overview Affected versions of dcdcdcdcdc resolve relative file paths, resulting in a directory traversal vulnerability. A malicious actor can use this vulnerability to access files outside of the intended directory root, which may result in the disclosure of private files on the vulnerable system...

Sanitization bypass using HTML Entities

Overview Affected versions of marked are susceptible to a cross-site scripting vulnerability in link components when sanitize:true is configured. Proof of Concept This flaw exists because link URIs containing HTML entities get processed in an abnormal manner. Any HTML Entities get parsed on a...

Misinterpretation of malicious XML input

Overview Impact xmldom versions 0.6.0 and older do not correctly escape special characters when serializing elements removed from their ancestor. This may lead to unexpected syntactic changes during XML processing in some downstream applications. Patches Update to 0.7.0 see issue 271 for the stat...

Regular Expression Denial of Service

Overview The package browserslist from 4.0.0 and before 4.16.5 are vulnerable to Regular Expression Denial of Service ReDoS during parsing of queries. Recommendation Upgrade to version 4.16.5 or later References - CVE - GitHub Advisory...

cookie tossing attack

Overview Users that used fastify-csrf with the "double submit" mechanism using cookies with an application deployed across multiple subdomains, e.g. "heroku"-style platform as a service. Recommendation Upgrade to version 3.1.0 or later References - CVE - GitHub Advisory...

Regular Expression Denial of Service

Overview npm-user-validate before 1.0.1 is vulnerable to regular expression denial of service. The regex that validates user emails took exponentially longer to process long input strings beginning with @ characters. Recommendation Upgrade to version 1.0.1 or later References - CVE - GitHub Advis...

Improper Neutralization of Special Elements used in a Command

Overview In madge before version 4.0.1 it is possible to specify a custom Graphviz path via the graphVizPath option parameter which when the .image, .svg or .dot functions are called, is executed by the childprocess.exec function. Recommendation Upgrade to version 4.0.1 or later References - GitH...

Code Execution by Re-enabling Node.js integration

Overview A vulnerability has been discovered which allows Node.js integration to be re-enabled in some Electron applications that disable it. For the application to be impacted by this vulnerability it must meet all of these conditions - Runs on Electron 1.7, 1.8, or a 2.0.0-beta - Allows executi...

Silently Runs Cryptocoin Miner

Overview Affected versions of hooka-tools were compromised and modified to silently run a cryptocoin miner in the background. All affected versions have been unpublished from the npm registry. Recommendation While this module has been unpublished, some versions may exist in mirrors or caches. Do...

Hijacked Environment Variables

Overview The node-opencv package is a piece of malware that steals environment variables and sends them to attacker controlled locations. All versions have been unpublished from the npm registry. Recommendation As this package is malware, if you find it installed in your environment, the real...

HTML Injection

Overview Affected versions of shout do not escape the /topic command in messages, and are therefore vulnerable to cross-site scripting. Recommendation Update to version 0.50.0 or later. References - PR 344 - GitHub Advisory...

Downloads Resources over HTTP

Overview Affected versions of ikst insecurely download resources over HTTP. In scenarios where an attacker has a privileged network position, they can modify or read such resources at will. While the exact severity of impact for a vulnerability like this is highly variable and depends on the...

Rosetta-Flash JSONP Vulnerability

Overview This description taken from the pull request provided by Patrick Kettner. Versions 6.1.0 and earlier of hapi are vulnerable to a rosetta-flash attack, which can be used by attackers to send data across domains and break the browser same-origin-policy. Recommendation - Update hapi to...

Command injection in bestzip

Overview Affected versions of the package bestzip before 2.1.7 are vulnerable to Command Injection via the options param. Recommendation Upgrade to version 2.1.7 or later References - CVE - GitHub Advisory...

Directory Traversal

Overview Affected versions of open-device resolve relative file paths, resulting in a directory traversal vulnerability. A malicious actor can use this vulnerability to access files outside of the intended directory root, which may result in the disclosure of private files on the vulnerable syste...

Code Execution Through IIFE

Overview Affected versions of serialize-to-js may be vulnerable to arbitrary code execution through an Immediately Invoked Function Expression IIFE. Proof of Concept var payload = "e: function eval'console.logexploited' " var serialize = require'serialize-to-js'; serialize.deserializepayload;...

Cryptographically Weak PRNG

Overview Affected versions of randomatic generate random values using a cryptographically weak psuedo-random number generator. This may result in predictable values instead of random values as intended. Recommendation Update to version 3.0.0 or later. References - Commit 4a52695 - GitHub Advisory...

Reflected XSS from the callback handler's error query parameter

Overview Overview @auth0/nextjs-auth0 versions before and including 1.4.1 are vulnerable to reflected XSS. An attacker can execute arbitrary code by providing an XSS payload in the error query parameter which is then processed by the callback handler as an error message. Am I affected? You are...