Malicious Package

Overview All versions of experss typosquatted a popular package of similar name and tracked users who had installed the incorrect package. The package uploaded information to a remote server including: name of the downloaded package, name of the intended package, the Node version and whether the...

Malicious Package

Overview All versions of exprss typosquatted a popular package of similar name and tracked users who had installed the incorrect package. The package uploaded information to a remote server including: name of the downloaded package, name of the intended package, the Node version and whether the...

Malicious Package

Overview All versions of commnader typosquatted a popular package of similar name and tracked users who had installed the incorrect package. The package uploaded information to a remote server including: name of the downloaded package, name of the intended package, the Node version and whether th...

Malicious Package

Overview All versions of momen typosquatted a popular package of similar name and tracked users who had installed the incorrect package. The package uploaded information to a remote server including: name of the downloaded package, name of the intended package, the Node version and whether the...

Malicious Package

Overview All versions of aysnc typosquatted a popular package of similar name and tracked users who had installed the incorrect package. The package uploaded information to a remote server including: name of the downloaded package, name of the intended package, the Node version and whether the...

Malicious Package

Overview All versions of asnyc typosquatted a popular package of similar name and tracked users who had installed the incorrect package. The package uploaded information to a remote server including: name of the downloaded package, name of the intended package, the Node version and whether the...

Malicious Package

Overview All versions of asycn typosquatted a popular package of similar name and tracked users who had installed the incorrect package. The package uploaded information to a remote server including: name of the downloaded package, name of the intended package, the Node version and whether the...

Malicious Package

Overview All versions of asnc typosquatted a popular package of similar name and tracked users who had installed the incorrect package. The package uploaded information to a remote server including: name of the downloaded package, name of the intended package, the Node version and whether the...

Malicious Package

Overview All versions of aasync typosquatted a popular package of similar name and tracked users who had installed the incorrect package. The package uploaded information to a remote server including: name of the downloaded package, name of the intended package, the Node version and whether the...

Malicious Package

Overview All versions of asyync typosquatted a popular package of similar name and tracked users who had installed the incorrect package. The package uploaded information to a remote server including: name of the downloaded package, name of the intended package, the Node version and whether the...

Malicious Package

Overview All versions of asynnc typosquatted a popular package of similar name and tracked users who had installed the incorrect package. The package uploaded information to a remote server including: name of the downloaded package, name of the intended package, the Node version and whether the...

Malicious Package

Overview All versions of asymc typosquatted a popular package of similar name and tracked users who had installed the incorrect package. The package uploaded information to a remote server including: name of the downloaded package, name of the intended package, the Node version and whether the...

Malicious Package

Overview All versions of asinc typosquatted a popular package of similar name and tracked users who had installed the incorrect package. The package uploaded information to a remote server including: name of the downloaded package, name of the intended package, the Node version and whether the...

Malicious Package

Overview All versions of wepack-cli typosquatted a popular package of similar name and tracked users who had installed the incorrect package. The package uploaded information to a remote server including: name of the downloaded package, name of the intended package, the Node version and whether t...

Malicious Package

Overview All versions of jajajejejiji typosquatted a popular package of similar name and tracked users who had installed the incorrect package. The package uploaded information to a remote server including: name of the downloaded package, name of the intended package, the Node version and whether...

Malicious Package

Overview All versions of 4equest typosquatted a popular package of similar name and tracked users who had installed the incorrect package. The package uploaded information to a remote server including: name of the downloaded package, name of the intended package, the Node version and whether the...

HTML Injection

Overview Versions of preact 10.x on prerelease tags alpha and beta prior to 10.0.0-beta.1 are vulnerable to HTML Injection. Due to insufficient input validation the package allows attackers to inject JavaScript objects as virtual-dom nodes, which may lead to Cross-Site Scripting. This requires us...

Insecure Default Configuration

Overview Versions of graphql-code-generator prior to 0.18.2 have an Insecure Default Configuration. The packages sets NODETLSREJECTUNAUTHORIZED to 0, disabling certificate verification for the entire project. This results in Insecure Communication for the process. Recommendation Upgrade to versio...

Cross-Site Scripting

Overview Versions of verdaccio prior to 3.12.0 are vulnerable to Cross-Site Scripting. Links for the packages homepage are not properly restricted to http/https and can contain JavaScript which may lead to arbitrary code execution. Recommendation Upgrade to version 3.12.0 or later. References...

Cross-Site Scripting

Overview Versions of verdaccio prior to 3.12.0 are vulnerable to Cross-Site Scripting. Contents of READMEs are not properly sanitized before rendering, which may allow attackers to execute arbitrary JavaScript code. Recommendation Upgrade to version 3.12.0 or later...

Signature Verification Bypass

Overview Versions of jwt-simple prior to 0.5.3 are vulnerable to Signature Verification Bypass. If no algorithm is specified in the decode function, the packages uses the algorithm in the JWT to decode tokens. This allows an attacker to create a HS256 symmetric algorithm JWT with the server's...

Open Redirect

Overview Versions of ecstatic prior to 4.1.2, 3.3.2 or 2.2.2 are vulnerable to Open Redirect. The package fails to validate redirects, allowing attackers to craft requests that result in an HTTP 301 redirect to any other domains. Recommendation If using ecstatic 4.x, upgrade to 4.1.2 or later. If...

Command Injection

Overview All versions of cocos-utils are vulnerable to Remote Code Execution. The unzip function concatenates user input to exec which may allow attackers to execute arbitrary commands on the server. Recommendation No fix is currently available. Consider using an alternative module until a fix is...

Insecure Default Configuration

Overview Versions of redbird prior to 0.9.1 have a vulnerable default configuration of allowing TLS 1.0 connections on lib/proxy.js. The package does not provide an option to disable TLS 1.0 which is deprecated and vulnerable. Recommendation Upgrade to version 0.9.1 or later. References - GitHub ...

Timing Attack

Overview Versions of express-basic-auth prior to 1.2.0 are vulnerable to Timing Attacks. The package uses nating string comparison instead of a constant time string compare which may lead to Timing Attacks. Timing Attacks can be used to increase the efficiency of brute-force attacks by removing t...

Cross-Site Scripting

Overview Versions of webpack-bundle-analyzer prior to 3.3.2 are vulnerable to Cross-Site Scripting. The package uses JSON.stringify without properly escaping input which may lead to Cross-Site Scripting. Recommendation Upgrade to version 3.3.2 or later. References - GitHub PR - Snyk Report - GitH...

Sensitive Data Exposure

Overview Versions of sequelize-cli prior to 5.5.0 are vulnerable to Sensitive Data Exposure. The function filteredURL does not properly sanitize the config.password value which may cause passwords with special characters to be logged in plain text. Recommendation Upgrade to version 5.5.0 or later...

Use-After-Free

Overview Versions of puppeteer prior to 1.13.0 are vulnerable to the Use-After-Free vulnerability in Chromium CVE-2019-5786. The Chromium FileReader API is vulnerable to Use-After-Free which may lead to Remote Code Execution. Recommendation Upgrade to version 1.13.0 or later. References - GitHub...

Rate Limiting Bypass

Overview All versions of express-brute are vulnerable to Rate Limiting Bypass. Concurrent requests may lead to race conditions that cause the package to incorrectly count requests. This may allow an attacker to bypass the rate limiting provided by the package and execute requests without limiting...

Cross-Site Scripting

Overview Versions of shave prior to 2.5.3 are vulnerable to Cross-Site Scripting. The shave package overwrites HTML elements and in doing so fails to properly encode the output. If encoded HTML input is passed into shave the output will be decoded which may lead to Cross-Site Scripting...

SQL Injection

Overview Versions of sequelize prior to 5.3.0 excluding v3 and v4 are vulnerable to SQL Injection. PostgreSQL optionstandardconformingstrings is not set to on by default, which may allow attackers to inject SQL statements due to poor handling of backslashes in string literals. Recommendation...

NoSQL Injection

Overview Versions of sequelize prior to 4.12.0 are vulnerable to NoSQL Injection. Query operators such as $gt are not properly sanitized and may allow an attacker to alter data queries, leading to NoSQL Injection. Recommendation Upgrade to version 4.12.0 or later References - GitHub Issue - Snyk...

Arbitrary JavaScript Execution

Overview Versions of typed-function prior to 0.10.6 are vulnerable to Arbitrary JavaScript Execution. Function names are not properly sanitized and may allow an attacker to execute arbitrary code. Recommendation Upgrade to version 0.10.6 or later. References - GitHub Commit - Snyk Report - GitHub...

Cross-Site Scripting

Overview All versions of materialize-css are vulnerable to Cross-Site Scripting. The tooltip component does not sufficiently sanitize user input, allowing an attacker to execute arbitrary JavaScript code if the malicious input is rendered by a user. Recommendation No fix is currently available...

Cross-Site Scripting

Overview All versions of materialize-css are vulnerable to Cross-Site Scripting. The autocomplete component does not sufficiently sanitize user input, allowing an attacker to execute arbitrary JavaScript code if the malicious input is rendered by a user. Recommendation No fix is currently...

Unauthorized File Access

Overview Affected versions of harp are vulnerable to Unauthorized File Access. If a symlink in the project's base directory points to a file outside of the directory, the file is served. This could allow an attacker to access sensitive files on the server. Recommendation Upgrade to version 0.40.3...

Cross-Site Scripting

Overview Versions of simple-markdown prior to 0.4.4 are vulnerable to Cross-Site Scripting. Due to insufficient input sanitization the package may render output containing malicious JavaScript. This vulnerability can be exploited through input of links containing data or VBScript URIs and a...

Cross-Site Scripting

Overview Versions of @nuxt/devalue prior to 1.2.3 are vulnerable to Cross-Site Scripting. Due to insufficient input sanitization attacker may inject arbitrary JavaScript code through object keys. Recommendation Upgrade to version 1.2.3 or later. References - GitHub Issue - GitHub Advisory...

Code Injection

Overview Versions of js-yaml prior to 3.13.1 are vulnerable to Code Injection. The load function may execute arbitrary code injected through a malicious YAML file. Objects that have toString as key, JavaScript code as value and are used as explicit mapping keys allow attackers to execute the...

Regular Expression Denial of Service

Overview Versions of marked prior to 0.6.2 and later than 0.3.14 are vulnerable to Regular Expression Denial of Service. Email addresses may be evaluated in quadratic time, allowing attackers to potentially crash the node process due to resource exhaustion. Recommendation Upgrade to version 0.6.2...

Unauthorized File Access

Overview Versions of glance prior to 3.0.7 are vulnerable to Unauthorized File Access. The package provides a --nodot option meant to hide files and directories with names that begin with a ., such as .git but fails to hide files inside a folder that begins with .. Recommendation Upgrade to versi...

Cross-Site Scripting

Overview All versions of buttle are vulnerable to Cross-Site Scripting. Due to misconfiguration of its rendering engine, buttle does not sanitize the HTML output allowing attackers to run arbitrary JavaScript when processing malicious markdown files. Recommendation No fix is currently available...

Prototype Pollution

Overview All versions of upmerge are vulnerable to Prototype Pollution. The merge function fails to prevent user input to alter an Object's prototype, allowing attackers to modify override properties of all objects in the application. This may lead to Denial of Service or may be chained with othe...

Cross-Site Scripting

Overview All versions of harp are vulnerable to Cross-Site Scripting. In the admin page it is possible to inject arbitrary JavaScript as a new product option, allowing attackers to execute arbitrary code. This is limited to the admin page and does not affect other pages. Recommendation No fix is...

Unauthorized File Access

Overview Affected versions of harp are vulnerable to Unauthorized File Access. The package states that it ignores files and directories with names that start with an underscore, such as secret-folder. If the underscore character is URL encoded the server delivers the file. Recommendation Upgrade ...

Cross-Site Scripting

Overview All versions of harp are vulnerable to Cross-Site Scripting. Due to misconfiguration of its rendering engine, harp does not sanitize the HTML output allowing attackers to run arbitrary JavaScript when processing malicious files. Recommendation No fix is currently available. Consider usin...

Path Traversal

Overview All versions of statics-server are vulnerable to Path Traversal. Due to insufficient input sanitization, attackers can access server files by using relative paths. Recommendation No fix is currently available. Consider using an alternative module until a fix is made available. References...

Denial of Service

Overview Versions of canvas prior to 1.6.10 are vulnerable to Denial of Service. Processing malicious JPEGs or GIFs could crash the node process. Recommendation Upgrade to version 1.6.10 References - HackerOne Report - GitHub Advisory...

Arbitrary File Overwrite

Overview Versions of tar prior to 4.4.2 for 4.x and 2.2.2 for 2.x are vulnerable to Arbitrary File Overwrite. Extracting tarballs containing a hardlink to a file that already exists in the system, and a file that matches the hardlink will overwrite the system's file with the contents of the...

Path Traversal

Overview Versions of servey prior to 3.x are vulnerable to Path Traversal. Due to insufficient input sanitization, attackers can access server files by using relative paths. Recommendation Upgrade to the latest version References - HackerOne Report - GitHub Advisory...