Improper Verification of Cryptographic Signature

Overview The xmlhttprequest-ssl package before 1.6.1 for Node.js disables SSL certificate validation by default, because rejectUnauthorized when the property exists but is undefined is considered to be false within the https.request function of Node.js. In other words, no certificate is ever...

Prototype Pollution

Overview A prototype pollution vulnerability in affected versions of 'dotty' allows attackers to cause a denial of service and may lead to remote code execution. Recommendation Update to version 0.1.1 or later References - GitHub Advisory - CVE...

Regular Expression Denial of Service

Overview Affected versions of moment are vulnerable to a low severity regular expression denial of service when parsing dates as strings. Recommendation Update to version 2.19.3 or later. References - Issue 4163 - PR 4326 - GitHub Advisory...

Denial-of-Service Extended Event Loop Blocking

Overview Versions prior to 1.0.0 of qs are affected by a denial of service vulnerability that results from excessive recursion in parsing a deeply nested JSON string. Recommendation Update to version 1.0.0 or later References GitHub Advisory...

Denial of Service

Overview css-what from version 4.0.0 and before version 5.0.1 does not ensure that attribute parsing has Linear Time Complexity relative to the size of the input. Recommendation Upgrade to version 5.0.1 or later References - CVE - GitHub Advisory...

Injection and Command Injection in devcert

Overview A command injection vulnerability in the devcert module may lead to remote code execution when users of the module pass untrusted input to the certificateFor function. Recommendation Upgrade to version 1.1.2 or later References - CVE - GitHub Advisory...

Cross-Site Scripting

Overview A vulnerability in the HTML editor of Slab Quill allows an attacker to execute arbitrary JavaScript by storing an XSS payload a crafted onloadstart attribute of an IMG element in a text field. No patch exists and no further releases are planned. Recommendation Avoid using quill as there ...

SQL Injection

Overview Prototype pollution vulnerability in the typeorm package 0.2.25 may allow attackers to add or modify Object properties leading to further denial of service or SQL injection attacks. Recommendation Upgrade to version 0.2.25 or later References - CVE - GitHub Advisory...

Command Injection

Overview Affected versions of the samba-client package allow command injection because of the use of process.exec. Recommendation Upgrade to version 4.0.0 or later References - CVE - GitHub Advisory...

DLL Injection

Overview Version of kerberos prior to 1.0.0 are vulnerable to DLL Injection. The package loads DLLs without specifying a full path. This may allow attackers to create a file with the same name in a folder that precedes the intended file in the DLL path search. Doing so would allow attackers to...

Downloads Resources over HTTP

Overview Affected versions of jser-stat insecurely downloads resources over HTTP. In scenarios where an attacker has a privileged network position, they can modify or read such resources at will. While the exact severity of impact for a vulnerability like this is highly variable and depends on th...

Regular Expression Denial of Service

Overview In prismjs before 1.24.0 some languages are vulnerable to Regular Expression Denial of Service ReDoS. Impact When Prism is used to highlight untrusted user-given text, an attacker can craft a string that will take a very very long time to highlight. Do not use the following languages to...

Uncontrolled Resource Consumption in locutus

Overview locutus before 2.0.15 are vulnerable to Regular Expression Denial of Service ReDoS via the gopherparsedir function. Recommendation Upgrade to version 2.0.15 or later References - CVE - GitHub Advisory...

Improper Certificate Validation

Overview Version 1.2.0 of mongodb-client-encryption does not perform correct validation of the KMS server’s certificate. This vulnerability in combination with a privileged network position active MITM attack could result in interception of traffic between the Node.js driver and the KMS service...

Token Verification Bug

Overview Impact next-auth implementations using the Prisma database adapter with the Email provider are impacted. Implementations using the Prisma database adapter that are not using the Email provider are not impacted. Implementations using the default database adapter TypeORM with the Email...

Cross-Site Scripting (XSS)

Overview apexcharts is a modern JavaScript charting library to build interactive charts and visualizations with simple API. Affected versions of this package are vulnerable to Cross-site Scripting XSS via lack of sanitization of graph legend fields. Recommendation Upgrade to version 3.24.0 or...

Denial of Service

Overview Impact Some regexes are vulnerable to regular expression denial of service REDoS due to overlapping capture groups. This allows remote attackers to overload a server by setting the User-Agent header in an HTTPS request to maliciously crafted long strings. Patches Please update uap-core t...

Command Injection in buns

Overview There is a command injection vulnerability in all versions of package buns. The injection point is located in line 678 in index file lib/index.js in the exported function installrequestedModule. Recommendation As there is no fixed version for buns and the package is marked deprecated, th...

Sensitive data exposure in NATS

Overview Preview versions of two NPM packages and one Deno package from the NATS project contain an information disclosure flaw, leaking options to the NATS server; for one package, this includes TLS private credentials. The connection configuration options in these JavaScript-based implementatio...

Authentication bypass via incorrect XML canonicalization and DOM traversal

Overview Versions of saml2-js prior to 1.12.4 or 2.0.2 are vulnerable to authentication bypass. The saml2-js library may incorrectly utilize the results of XML DOM traversal and canonicalization APIs in such a way that an attacker may be able to manipulate the SAML data without invalidating the...

Directory Traversal

Overview The @vivaxy/here module is a small web server that serves files with the process' working directory acting as the web root. It is vulnerable to a directory traversal attack. This means that files on the local file system which exist outside of the web root may be disclosed to an attacker...

Directory Traversal

Overview Affected versions of tinyserver2 resolve relative file paths, resulting in a directory traversal vulnerability. A malicious actor can use this vulnerability to access files outside of the intended directory root, which may result in the disclosure of private files on the vulnerable syste...

Directory Traversal

Overview Affected versions of serveryaozeyan resolve relative file paths, resulting in a directory traversal vulnerability. A malicious actor can use this vulnerability to access files outside of the intended directory root, which may result in the disclosure of private files on the vulnerable...

Observable timing discrepancy

Overview Overview Affected versions of jose are vulnerable to a Padding Oracle Attack due to Observable Timing Discrepancy. Impact AESCBCHMACSHA2 Algorithm A128CBC-HS256, A192CBC-HS384, A256CBC-HS512 decryption would always execute both HMAC tag verification and CBC decryption, if either failed...

Command Injection

Overview All versions of package ts-process-promises are affected by a command injection vulnerability. The injection point is located in line 45 in main entry of package in lib/process-promises.js. Recommendation Since there is currently no fix version, discontinue use of the ts-process-promises...

Prototype Pollution Protection Bypass

Overview Affected version of qs are vulnerable to Prototype Pollution because it is possible to bypass the protection. The qs.parse function fails to properly prevent an object's prototype to be altered when parsing arbitrary input. Input containing or may bypass the prototype pollution protectio...

Directory Traversal

Overview Affected versions of list-n-stream resolve relative file paths, resulting in a directory traversal vulnerability. A malicious actor can use this vulnerability to access files outside of the intended directory root, which may result in the disclosure of private files on the vulnerable...

methodOverride Middleware Reflected Cross-Site Scripting

Overview Connect is a stack of middleware that is executed in order in each request. The "methodOverride" middleware allows the http post to override the method of the request with the value of the "method" post key or with the header "x-http-method-override". Because the user post input was not...

Prototype Pollution

Overview Prototype pollution vulnerability in ‘set-getter’ version 0.1.0 allows an attacker to cause a denial of service and may lead to remote code execution. Recommendation Upgrade to version 0.1.1 or later References - CVE - GitHub Advisory...

OS Command Injection in ng-packagr

Overview ng-packagr before 10.1.1 are vulnerable to Command Injection via the styleIncludePaths option. Recommendation Upgrade to version 10.1.1 or later References - CVE - GitHub Advisory...

netmask npm package vulnerable to octal input data

Overview netmask npm package is vulnerable to octal input data. This may lead to server-side request forgery, remote file inclusion, local file inclusion, and other vulnerabilities. Recommendation Upgrade to version 2.0.1 or later. References - GitHub Advisory - Researcher report...

Regular Expression Denial of Service

Overview A Regular Expression Denial of Service vulnerability was discovered in esm. The issue is that esm's find-indexes is using the unescaped identifiers in a regex, which, in this case, causes an infinite loop. Recommendation Upgrade to version 3.1.0 or later References - WhiteSource Advisory...

Improper Key Verification

Overview An attacker can inject an HMAC-SHA1 signature that is valid using only knowledge of the RSA public key. This allows bypassing signature validation. Recommendation Version 2.0.0 has the fix. The recommendation is to upgrade. In case that is not possible remove the...

Failure to sanitize quotes which can lead to sql injection

Overview All versions of squel are vulnerable to sql injection. The squel package does not properly escape user provided input when provided using the setFields method. This could lead to sql injection if the query was then executed. Proof of concept demonstrating the injection of a single quote...

Regular Expression Denial of Service

Overview Affected versions of string are vulnerable to regular expression denial of service when specifically crafted untrusted user input is passed into the underscore or unescapeHTML methods. Recommendation There is currently no direct patch for this vulnerability. Currently, the best solution ...

Hijacked Environment Variables

Overview The opencv.js package is a piece of malware that steals environment variables and sends them to attacker controlled locations. All versions have been unpublished from the npm registry. Recommendation As this package is malware, if you find it installed in your environment, the real...

XSS via Angular Expression

Overview Affected versions of ag-grid are vulnerable to Cross-site Scripting XSS via Angular Expressions, if used in combination with AngularJS. Recommendation Avoid using ag-grid in combination with AngularJS until a fix is available. References - Issue 1287 -...

Invalid Curve Attack

Overview Affected versions of node-jose are vulnerable to an invalid curve attack. This allows an attacker to recover the private secret key when JWE with Key Agreement with Elliptic Curve Diffie-Hellman Ephemeral Static ECDH-ES is used. Proof of Concept Recommendation Update to version 0.9.3 or...

Denial of Service and Content Injection

Overview Versions of i18n-node-angular prior to 1.4.0 are affected by denial of service and cross-site scripting vulnerabilities. The vulnerabilities exist in a REST endpoint that was created for development purposes, but was not disabled in production in affected versions. Recommendation Update ...

Buffer overflow in canvas

Overview A buffer overflow is present in canvas versions before 1.6.11, which could lead to a Denial of Service or execution of arbitrary code when it processes a user-provided image. Recommendation Upgrade to version 1.6.11 or later References - CVE - GitHub Advisory...

Prototype Pollution in property-expr

Overview property-expr before 2.0.3 are vulnerable to Prototype Pollution via the setter function. Recommendation Upgrade to version 2.0.3 or later References - CVE - GitHub Advisory...

Regular Expression Denial of Service

Overview hosted-git-info before versions 2.8.9 and 3.0.8 are vulnerable to Regular Expression Denial of Service ReDoS via regular expression shortcutMatch in the fromUrl function in index.js. The affected regular expression exhibits polynomial worst-case time complexity Recommendation Upgrade to...

Remote Code Execution

Overview Impact In affected versions of pug and pug-code-gen, if a remote attacker was able to control the pretty option of the pug compiler, e.g. if you spread a user provided object such as the query parameters of a request into the pug template inputs, it was possible for them to achieve remot...

Malicious Package

Overview From https://blog.sonatype.com/sonatype-spots-more-discord-malware-in-npm?hspreview=BbDPGbfh-40737456755: The malicious packages were detected by Sonatype’s Security Research Team leveraging Sonatype’s Nexus Intelligence research service. On analyzing these packages closely, our Security...

Directory Traversal

Overview Affected versions of serverxxx resolve relative file paths, resulting in a directory traversal vulnerability. A malicious actor can use this vulnerability to access files outside of the intended directory root, which may result in the disclosure of private files on the vulnerable system...

Directory Traversal

Overview Affected versions of gaoxiaotingtingting resolve relative file paths, resulting in a directory traversal vulnerability. A malicious actor can use this vulnerability to access files outside of the intended directory root, which may result in the disclosure of private files on the vulnerab...

Code Injection

Overview In pac-resolver before 5.0.0 code-injection can occur when used with untrusted input, due to unsafe PAC file handling. Recommendation Upgrade to version 5.0.0 or later References - CVE - GitHub Advisory - Article...

Regular expression denial of Service

Overview codemirror before 5.58.2 is vulnerable to a regular expression denial of service. The vulnerable regular expression is located in https://github.com/codemirror/CodeMirror/blob/cdb228ac736369c685865b122b736cd0d397836c/mode/javascript/javascript.jsL129. The ReDOS vulnerability of the regex...

Prototype Pollution

Overview Prototype pollution vulnerability in set-or-get version 1.0.0 through 1.2.10 allows an attacker to cause a denial of service and may lead to remote code execution. Recommendation Upgrade to version 1.2.11 or later References - CVE - WhiteSource Advisory...

Command Injection

Overview Affected versions of @graphql-tools/git-loader package are vulnerable to Command Injection. The use of exec and execSync in packages/loaders/git/src/load-git.ts allows arbitrary command injection. Recommendation Upgrade to fix version 6.2.6 or later References - Snyk Advisory - CVE -...