Authorization Bypass

Overview Versions of graphql-shield prior to 6.0.6 are vulnerable to an Authorization Bypass. The rule caching option nocache relies on keys generated by cryptographically insecure functions, which may cause rules to be incorrectly cached. This allows attackers to access information they should n...

Unintended Require

Overview Versions of larvitbase-api prior to 0.5.4 are vulnerable to an Unintended Require. The package exposes an API endpoint and passes a GET parameter unsanitized to an require call. This allows attackers to execute any .js file in the same folder as the server is running. Recommendation...

Malicious Package

Overview All versions of bb-builder contained malicious code. The package ran an executable targeting Windows and uploaded information to a remote server. Recommendation Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on...

Arbitrary Code Execution

Overview Versions of eslint-utils =1.2.0 or 1.4.1 are vulnerable to Arbitrary Code Execution. The getStaticValue does not properly sanitize user input allowing attackers to supply malicious input that executes arbitrary code during the linting process. The getStringIfConstant and getPropertyName...

Cross-Site Scripting

Overview All versions of @risingstack/protect are vulnerable to Cross-Site Scripting. The isXss XSS validator has several bypasses that may allow attackers to execute arbitrary JavaScript in a victim's browser. Recommendation No fix is currently available. Consider using an alternative package. T...

Sensitive Data Exposure

Overview Versions of parse-server prior to 3.6.0 are vulnerable to Sensitive Data Exposure. The package throws the error ParseError.ACCOUNTALREADYLINKED208 before the authentication controller throws ParseError.SESSIONMISSING206. This allows unauthenticated attackers to enumerate user account by...

Denial of Service

Overview Versions of parse-server prior to 3.4.1 are vulnerable to Denial of Service DoS. POST requests to /parse/classes/Audience or other volatile classes cause the server to respond with a 500 Internal Server Error for any subsequent POST requests. Recommendation Upgrade to version 3.4.1 or...

Sensitive Data Exposure

Overview Versions of msrcrypto prior to 1.4.1 are vulnerable to Sensitive Data Exposure. The package's Elliptic Curve Cryptography ECC implementation may leak information about a server's private ECC key. It can also allow attackers to craft invalid ECDSA signatures that pass as valid. There is n...

Cross-Site Scripting

Overview All versions of min-http-server are vulnerable to Cross-Site Scripting XSS. The package fails to sanitize filenames, allowing attackers to execute arbitrary JavaScript in the victim's browser through files with names containing malicious code. Recommendation No fix is currently available...

Cross-Site Scripting

Overview All versions of http-file-server are vulnerable to Cross-Site Scripting XSS. The package fails to sanitize filenames, allowing attackers to execute arbitrary JavaScript in the victim's browser through files with names containing malicious code. Recommendation No fix is currently availabl...

Malicious Package

Overview Version 1.0.11 of device-mqtt contained malicious code. The code when executed in the browser would enumerate password, cvc, cardnumber fields from forms and send the extracted values to https://js-metrics.com/minjs.php?pl= Recommendation Remove the package from your environment. It's al...

Malicious Package

Overview Version 0.9.2 of slush-fullstack-framework contained malicious code. The code when executed in the browser would enumerate password, cvc, cardnumber fields from forms and send the extracted values to https://js-metrics.com/minjs.php?pl= Recommendation Remove the package from your...

Malicious Package

Overview Version 1.1.3 of pensi-scheduler contained malicious code. The code when executed in the browser would enumerate password, cvc, cardnumber fields from forms and send the extracted values to https://js-metrics.com/minjs.php?pl= Recommendation Remove the package from your environment. It's...

Malicious Package

Overview Version 1.0.5 of pyramid-proportion contained malicious code. The code when executed in the browser would enumerate password, cvc, cardnumber fields from forms and send the extracted values to https://js-metrics.com/minjs.php?pl= Recommendation Remove the package from your environment...

Malicious Package

Overview Version 0.0.26 of ngx-context-menu contained malicious code. The code when executed in the browser would enumerate password, cvc, cardnumber fields from forms and send the extracted values to https://js-metrics.com/minjs.php?pl= Recommendation Remove the package from your environment. It...

Malicious Package

Overview Version 1.0.6 of @fangrong/xoc contained malicious code. The code when executed in the browser would enumerate password, cvc, cardnumber fields from forms and send the extracted values to https://js-metrics.com/minjs.php?pl= Recommendation Remove the package from your environment. It's...

Malicious Package

Overview Version 1.0.4 of iie-viz contained malicious code. The code when executed in the browser would enumerate password, cvc, cardnumber fields from forms and send the extracted values to https://js-metrics.com/minjs.php?pl= Recommendation Remove the package from your environment. It's also...

Malicious Package

Overview Version 0.2.5 of jquery-airload contained malicious code. The code when executed in the browser would enumerate password, cvc, cardnumber fields from forms and send the extracted values to https://js-metrics.com/minjs.php?pl= Recommendation Remove the package from your environment. It's...

Malicious Package

Overview Version 0.0.5 of zemen contained malicious code. The code when executed in the browser would enumerate password, cvc, cardnumber fields from forms and send the extracted values to https://js-metrics.com/minjs.php?pl= Recommendation Remove the package from your environment. It's also...

Malicious Package

Overview Version 1.0.2 of uploader-plugin contained malicious code. The code when executed in the browser would enumerate password, cvc, cardnumber fields from forms and send the extracted values to https://js-metrics.com/minjs.php?pl= Recommendation Remove the package from your environment. It's...

Malicious Package

Overview Version 1.2.6 of sailclothjs contained malicious code. The code when executed in the browser would enumerate password, cvc, cardnumber fields from forms and send the extracted values to https://js-metrics.com/minjs.php?pl= Recommendation Remove the package from your environment. It's als...

Malicious Package

Overview Version 0.1.1 of rccal contained malicious code. The code when executed in the browser would enumerate password, cvc, cardnumber fields from forms and send the extracted values to https://js-metrics.com/minjs.php?pl= Recommendation Remove the package from your environment. It's also...

Denial of Service

Overview Versions of grpc-ts-health-check prior to 2.0.0 are vulnerable to Denial of Service. The package exposes an API endpoint that may allow attackers to set the service's health status to failing. This can lead to Denial of Service as Kubernetes blocks traffic to services with a failing...

Open Redirect

Overview Versions of serveprior to 11.3.2 are vulnerable to Open Redirect. The package redirected requests to third-party websites for URLs such as localhost:5000//example.com/index. The user would be redirected to example.com. Recommendation Upgrade to version 11.3.2 or later. References...

Arbitrary File Read

Overview html-pdf before version 3.0.1 is vulnerable to Arbitrary File Read. The package fails to sanitize the HTML input, allowing attackers to exfiltrate server files by supplying malicious HTML code. XHR requests in the HTML code are executed by the server. Input with an XHR request such as...

Prototype Pollution

Overview Affected versions of mithrilare vulnerable to prototype pollution. The function parseQueryString may allow a malicious user to modify the prototype of Object, causing the addition or modification of an existing property that will exist on all objects. A payload such as...

Sandbox Breakout / Arbitrary Code Execution

Overview Versions of notevil prior to 1.3.2 are vulnerable to Sandbox Escape leading to Remote Code Execution. The package fails to prevent access to the Function constructor by not checking the return values of function calls. This allows attackers to access the Function prototype's constructor...

Path Traversal

Overview All versions of f-serv are vulnerable to Path Traversal. Due to insufficient input sanitization in URLs, attackers can access server files by using relative paths when fetching files. Recommendation No fix is currently available. Consider using an alternative package until a fix is made...

Malicious Package

Overview All versions of anarchy contain malicious code. The package ran rm - rf / as an install script. Recommendation Remove the package from your environment. References GitHub Advisory...

Cross-Site Scripting

Overview Versions of console-feed prior to 2.8.10 are vulnerable to Cross-Site Scripting XSS. The package fails to properly escape the rendered output. If an application uses console-feed and a malicious JavaScript payload was passed to a console.log'%', payload call, the package would render HTM...

Authentication Bypass

Overview Versions of otpauth prior to 3.2.8 are vulnerable to Authentication Bypass. The package's totp.validate function may return positive values for single digit tokens even if they are invalid. This may allow attackers to bypass the OTP authentication by providing single digit tokens...

Malicious Package

Overview All versions of fast-requests contain obfuscated malware that uploads Discord user tokens to a remote server. This allows attackers to make purchases on behalf of users if they have credit cards linked to their Discord accounts. Recommendation Remove the package from your environment...

Malicious Package

Overview All versions of cage-js contains malicious code. The malware downloads and runs a script from a remote server as a postinstall script. Recommendation Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that comput...

Denial of Service

Overview Versions of mem prior to 4.0.0 are vulnerable to Denial of Service DoS. The package fails to remove old values from the cache even after a value passes its maxAge property. This may allow attackers to exhaust the system's memory if they are able to abuse the application logging...

Malicious Package

Overview Version 1.0.3 of rate-map contains malicious code. The malware breaks functionality of the purescript-installer package by rewriting code of the dl-tar dependency. Recommendation Upgrade to version 1.0.5 or later. There is no indication of further compromise. References GitHub Advisory...

Malicious Package

Overview Version 3.0.2 of load-from-cwd-or-npm contains malicious code. The malware breaks functionality of the purescript-installer package by injecting targeted code. Recommendation Upgrade to version 3.0.4 or later. There is no indication of further compromise. References GitHub Advisory...

Cross-Site Scripting

Overview Versions of dmn-js-properties-panel prior to 0.8.0 are vulnerable to Cross-Site Scripting XSS. The package fails to sanitize input in specially configured diagrams, which may allow attackers to inject arbitrary JavaScript in the embedding website. Recommendation Upgrade to version 0.3.0 ...

Cross-Site Scripting

Overview Versions of cmmn-js-properties-panel prior to 0.8.0 are vulnerable to Cross-Site Scripting XSS. The package fails to sanitize input in specially configured diagrams, which may allow attackers to inject arbitrary JavaScript in the embedding website. Recommendation Upgrade to version 0.8.0...

Cross-Site Scripting

Overview Versions of bpmn-js-properties-panel prior to 0.31.0 are vulnerable to Cross-Site Scripting XSS. The package fails to sanitize input in specially configured diagrams, which may allow attackers to inject arbitrary JavaScript in the embedding website. Recommendation Upgrade to version 0.31...

Path Traversal

Overview All versions of http-file-server are vulnerable to Path Traversal. The package fails to sanitize URLs, allowing attackers to access server files outside of the served folder using relative paths. Recommendation No fix is currently available. Consider using an alternative package until a...

Regular Expression Denial of Service

Overview Affected versions of marked are vulnerable to Regular Expression Denial of Service ReDoS. The label subrule may significantly degrade parsing performance of malformed input. Recommendation Upgrade to version 0.7.0 or later. References GitHub Advisory...

Local File Inclusion

Overview All versions of domokeeper are vulnerable to Local File Inclusion. The /plugin/ route passes a GET parameter unsanitized to a require call. It then returns the output of require in the server response. This may allow attackers to load unintended code in the application. It also allows...

Malicious Package

Overview All versions of nodes.js contain malicious code. The package searches and installs globally thousands of packages based on keywords node, react, react-native, vue, angular and babel to fill the system's memory. Recommendation Remove the package from your environment and validate what...

Malicious Package

Overview All versions of deasyncp contain malicious code. The package shuts down the machine upon installation as a preinstall script. Recommendation Remove the package from your environment. There is no further compromise. References GitHub Advisory...

Malicious Package

Overview All versions of sdfjghlkfjdshlkjdhsfg contain malicious code. The package is essentially a worm that fetches all packages owned by the user, adds a script to self-replicate as a preinstall script and publishes a new version. Recommendation Remove the package from your environment and...

Prototype Pollution

Overview Versions of lodash.mergewith before 4.6.2 are vulnerable to prototype pollution. The function mergeWith may allow a malicious user to modify the prototype of Object via constructor: prototype: ... causing the addition or modification of an existing property that will exist on all objects...

Prototype Pollution

Overview Versions of lodash.defaultsdeep before 4.6.1 are vulnerable to Prototype Pollution. The function 'defaultsDeep' may allow a malicious user to modify the prototype of Object via proto causing the addition or modification of an existing property that will exist on all objects. Recommendati...

Prototype Pollution

Overview Versions of lodash.mergewith before 4.6.1 are vulnerable to Prototype Pollution. The function 'mergeWith' may allow a malicious user to modify the prototype of Object via proto causing the addition or modification of an existing property that will exist on all objects. Recommendation...

Prototype Pollution

Overview Versions of lodash.defaultsdeep before 4.6.1 are vulnerable to prototype pollution. The function mergeWith may allow a malicious user to modify the prototype of Object via constructor: prototype: ... causing the addition or modification of an existing property that will exist on all...

Prototype Pollution

Overview Versions of lodash.merge before 4.6.1 are vulnerable to Prototype Pollution. The function 'merge' may allow a malicious user to modify the prototype of Object via proto causing the addition or modification of an existing property that will exist on all objects. Recommendation Update to...