Path Traversal

Overview Versions of cordova-plugin-ionic-webview prior to 2.2.0 are vulnerable to Path Traversal, allowing attackers access to OS local files that should be inaccessible by third-party applications. The package launches a webserver listening on http://localhost:8080 without restricting access of...

Regular Expression Denial of Service

Overview Versions of underscore.string prior to 3.3.5 are vulnerable to Regular Expression Denial of Service ReDoS. The function unescapeHTML is vulnerable to ReDoS due to an overly-broad regex. The slowdown is approximately 2s for 50,000 characters but grows exponentially with larger inputs...

Path Traversal

Overview All versions of simplehttpserver are vulnerable to Path Traversal. This vulnerability allows an attacker to access files outside the webroot since it allows symlink navigation in the URL. Recommendation No fix is currently available. Do not use simplehttpserver in production or consider...

Path Traversal

Overview All versions of knightjs are vulnerable to Path Traversal. This vulnerability allows an attacker to read content of arbitrary files on the server due to lack of input validation. Recommendation As there is currently no fix for this module we recommend not using this module in production...

Stored Cross-Site Scripting

Overview All versions of tianma-static are vulnerable to stored cross-site scripting XSS. The vulnerability is exploitable if a user can control the name of a file that is served by tianma-static Recommendation As no fix is available for this vulnerability at this time it is our recommendation to...

Path Traversal

Overview All versions of takeapeek are vulnerable to path traversal exposing files and directories. Recommendation As no fix is currently available for this vulnerability is it is our recommendation to use another static file server. References - HackerOne Report - Node.js Security-wg - GitHub...

Prototype Pollution

Overview Version of cached-path-relative before 1.0.2 are vulnerable to prototype pollution. Recommendation Update to version 1.0.2 or later. References - HackerOne Report - GitHub Issue - Node.js Security-wg - GitHub Advisory...

Entropy Backdoor

Overview All versions of text-qrcode contain malicious code that overwrites the randomBytes method for the crypto module with a function that generates weak entropy. Instead of generating 32 bytes, the infected randomBytes will generate 3 bytes of entropy and hash them, resulting in a 32 byte val...

Malicious Package

Overview Version 0.1.1 of flatmap-stream is considered malicious. This module runs an encrypted payload targeting a very specific application, copay and because they shared the same description it would have likely worked for copay-dash. The injected code: - Read in AES encrypted data from a file...

Code Injection

Overview Verisons of morgan before 1.9.1 are vulnerable to code injection when user input is allowed into the filter or combined with a prototype pollution attack. Recommendation Update to version 1.9.1 or later. References - HackerOne Report - Node.js security-wg - GitHub Advisory...

Denial of Service

Overview All versions of ircdkit are vulnerable to remote denial of service. Recommendation As no current fix is available if you rely on ircdkit in production it might be best to consider another module. References - GitHub Issue - GitHub Advisory...

Command Injection

Overview Versions of samsung-remote before 1.3.5 are vulnerable to command injection. This vulnerability is exploitable if user input is passed into the ip option of the package constructor. Recommendation Update to version 1.3.5 or later. References - HackerOne Report - Node.js security-wg -...

Cross-Site Scripting

Overview Versions of exceljs before 1.6.0 are vulnerable to cross-site scripting. This vulnerability is due to exceljs does not validate data from parsed XLSX file and allows to embed HTML tags, like , directly in the sheet cells. Because of this it's possible to inject malicious JavaScript code...

Remote Code Execution

Overview GitHub Electron 1.7.15, 1.8.7, 2.0.7, and 3.0.0-beta.6, in certain scenarios involving IFRAME elements and "nativeWindowOpen: true" or "sandbox: true" options, is affected by a WebPreferences vulnerability that can be leveraged to perform remote code execution. More information to...

Path Traversal

Overview Versions of m-server before 1.4.2 are vulnerable to path traversal allowing a remote attacker to display content of arbitrary files from the server. Recommendation Update to version 1.4.2 or later. References - HackerOne Report - Node.js security-wg - GitHub Advisory...

Privilege Escalation

Overview Versions of express-cart before 1.1.6 are vulnerable to privilege escalation. This vulnerability can be exploited so that normal users can escalate their privilege and add new administrator users. Recommendation Update to version 1.1.6 or later. References - HackerOne Report - Node.js...

Cross-Site Scripting

Overview Versions of m-server before 1.4.2 are vulnerable to stored cross-site scripting. This vulnerability is exploitable if an attacker is able to control the name of a file that m-server is serving. Recommendation Update to version 1.4.2 or later. References - HackerOne Report - Node.js...

Command Injection

Overview Versions of ps before 1.0.0 are vulnerable to command injection. Proof of concept: var ps = require'ps'; ps.lookup pid: "$touch success.txt" , functionerr, proc // this method is vulnerable to command injection if err throw err; if proc console.logproc; // Process name, something like...

Command Injection

Overview Versions of ascii-art before 1.4.4 are vulnerable to command injection. This is exploitable when user input is passed into the argument of the ascii-art preview command. Example Proof of concept: ascii-art preview 'doom"; touch /tmp/malicious; echo "' Given that the input is passed on th...

Missing Origin Validation

Overview Versions of browserify-hmr prior to 0.4.0 are missing origin validation on the websocket server. This vulnerability allows a remote attacker to steal a developer's source code because the origin of requests to the websocket server that is used for Hot Module Replacement HMR are not...

Missing Origin Validation

Overview Versions of webpack-dev-server before 3.1.10 are missing origin validation on the websocket server. This vulnerability allows a remote attacker to steal a developer's source code because the origin of requests to the websocket server that is used for Hot Module Replacement HMR are not...

NoSQL injection

Overview Versions of express-cart before 1.1.8 are vulnerable to NoSQL injection. The vulnerability is caused by the lack of user input sanitization in the login handlers. In both cases, the customer login and the admin login, parameters from the JSON body are sent directly into the MongoDB query...

Sensitive Data Exposure

Overview Versions of pem before 1.13.2 expose sensitive data when the readPkcs12 is used. The readPkcs12 function reads the certificate and key data from a pkcs12 file using the encryption password. As part of this process it creates a globally readable file with a filename of 20 random 0-f...

Prototype Pollution

Overview Versions of merge before 1.2.1 are vulnerable to prototype pollution. The merge.recursive function can be tricked into adding or modifying properties of the Object prototype. Recommendation Update to version 1.2.1 or later. References - HackerOne Report - GitHub Advisory...

Missing Origin Validation

Overview Versions of parcel-bundler before 1.10.0 are missing origin validation on the websocket server. This vulnerability allows a remote attacker to steal a developer's source code because the origin of requests to the websocket server that is used for Hot Module Replacement HMR are not...

Insufficient Entropy

Overview Versions of cryptiles from version 3.1.0 through 3.1.2, and versions 4.0.0 to version 4.1.1 are vulnerable to insufficient entropy. The randomDigits method generates digits that lack a perfect distribution over enough attempts. Recommendation Update to version 3.1.3 or 4.1.2 or later...

Command Injection

Overview Versions of libnmap before 0.4.16 are vulnerable to command injection. Proof of concept const nmap = require'libnmap'; const opts = range: 'scanme.nmap.org', "x.x.$touch success.txt" ; nmap.scanopts, functionerr, report if err throw new Errorerr; for let item in report...

Command Injection

Overview Versions of apex-publish-static-files before 2.0.1 are vulnerable to command injection. This is exploitable if user input is passed into the connectString option in the publish method. Recommendation Update to version 2.0.1 or later. References - HackerOne Report - security-wg - GitHub...

Prototype Pollution

Overview All versions of merge-options are vulnerable to Prototype Pollution Recommendation Update to version 1.0.1 or greater. References - HackerOne Report - GitHub Commit - GitHub Advisory...

Prototype Pollution

Overview All versions of merge-objects are vulnerable to Prototype Pollution. Recommendation No fix is available for this vulnerability at this time. It is our recommendation to use an alternative package. References - HackerOne Report - GitHub Advisory...

Prototype Pollution

Overview All versions of merge-recursive are vulnerable to Prototype Pollution. When malicious user input is merged with another object it allows the attacker to modify the prototype of Object via proto causing the addition or modification of an existing property. Proof of concept: var merge =...

NoSQL Injection

Overview Versions of loopback-connector-mongodb before 3.6.0 are vulnerable to NoSQL injection. MongoDB Connector for LoopBack fails to properly sanitize a filter passed to query the database by allowing the dangerous $where property to be passed to the MongoDB Driver. The Driver allows the speci...

Remote Code Execution

Overview react-dev-utils on Windows is vulnerable to remote code execution. Recommendation Update to one of the follow versions, depending on the release line that you are using. - 1.0.4 - 2.0.2 - 3.1.2 - 4.2.2 - 5.0.2 - 6.0.0-next.a671462c References -...

Command Injection

Overview Versions of egg-scripts before 2.8.1 are vulnerable to command injection. This is only exploitable if a malicious argument is provided on the command line. Example: eggctl start --daemon --stderr='/tmp/eggctlstderr.log; touch /tmp/malicious' Recommendation Update to version 2.8.1 or late...

Improper Key Verification

Overview Versions 0.1.1 or 0.1.2 of ipns are vulnerable to improper key validation. This is due to the public key verification was not being performed properly, resulting in any key being valid. Recommendation Update to version 0.1.3 or later. References -...

Code Injection

Overview All versions of cryo are vulnerable to code injection due to an Insecure implementation of deserialization. Proof of concept var Cryo = require'cryo'; var frozen = '"root":"CRYOREF3","references":"contents":,"value":"CRYOFUNCTIONfunction console.log\"defconrussia\"; return...

Privilege Escalation due to Blind NoSQL Injection

Overview Versions of flintcms before version 1.1.10 are vulnerable to account takeover due to blind MongoDB injection in the password reset. Recommendation Update to version 1.1.10 or later. References - HackerOne Report - GitHub Advisory...

Malicious Package

Overview All versions of foever are considered malicious. The package is malware designed to take advantage of users making a mistake when typing the name of a module to install. When executed, the package calls home to a Command and Control server to execute arbitrary commands. Recommendation Th...

Malicious Package

Overview All versions of soket.js are considered malicious. The package is malware designed to take advantage of users making a mistake when typing the name of a module to install. When executed, the package calls home to a Command and Control server to execute arbitrary commands. Recommendation...

Malicious Package

Overview All versions of soket.io are considered malicious. The package is malware designed to take advantage of users making a mistake when typing the name of a module to install. When executed, the package calls home to a Command and Control server to execute arbitrary commands. Recommendation...

Malicious Package

Overview All versions of regenrator are considered malicious. The package is malware designed to take advantage of users making a mistake when typing the name of a module to install. When executed, the package calls home to a Command and Control server to execute arbitrary commands. Recommendatio...

Malicious Package

Overview All versions of regenraotr are considered malicious. The package is malware designed to take advantage of users making a mistake when typing the name of a module to install. When executed, the package calls home to a Command and Control server to execute arbitrary commands. Recommendatio...

Malicious Package

Overview All versions of axois are considered malicious. The package is malware designed to take advantage of users making a mistake when typing the name of a module to install. When executed, the package calls home to a Command and Control server to execute arbitrary commands. Recommendation Thi...

Improper Authorization

Overview Versions of aedes before 0.35.1 does not respect its own authorization rules when a client sets a Last Will. Recommendation Update to version 0.35.1 or later. References - GitHub Issue 211 - GitHub Issue 212 - GitHub Advisory...

Arbitrary File Write via Archive Extraction

Overview Versions of adm-zip before 0.4.9 are vulnerable to arbitrary file write when used to extract a specifically crafted archive that contains path traversal filenames ../../file.txt for example. Recommendation Update to version 0.4.9 or later. References - GitHub Pull Request - Zip Slip...

Arbitrary File Write via Archive Extraction

Overview Versions of unzipper before 0.8.13 are vulnerable to arbitrary file write when used to extract a specifically crafted archive that contains path traversal filenames ../../file.txt for example. Recommendation Update to version 0.3.18 or later. References - GitHub Pull Request - Zip Slip...

Out-of-bounds Read

Overview Versions of njwt prior to 1.0.0 are vulnerable to out-of-bounds reads when a number is passed into the base64urlEncode function. On Node.js 6.x or lower this can expose sensitive information and on any other version of Node.js this creates a Denial of Service vulnerability. Recommendatio...

Open Redirect

Overview Versions of url-parse before 1.4.3 returns the wrong hostname which could lead to Open Redirect, Server Side Request Forgery SSRF, or Bypass Authentication Protocol vulnerabilities. Recommendation Update to version 1.4.3 or later. References - HackerOne Report - GitHub Commit - GitHub...

Malicious Package

Overview All versions of boogeyman are considered malicious. This particular package would download a payload from pastebin.com, eval it to read ssh keys and the users .npmrc and send them to a private pastebin account. Recommendation This package was published to the npm Registry for a very shor...

Path Traversal

Overview Versions of express-cart before 1.1.7 are vulnerable to Path Traversal. Recommendation Update to version 1.1.7 or later. References - HackerOne Report - GitHub Advisory...