Malicious Package

Overview Version 2.0.0 of eslint-config-airbnb-standard was published with a bundled version of eslint-scope that was found to contain malicious code. This code would read the users .npmrc file and send it's contents to a remote server. Recommendation The best course of action if you found this...

Malicious Package

Overview Version 5.0.2 of eslint-config-eslint was published without authorization and was found to contain malicious code. This code would read the users .npmrc file and send any found authentication tokens to a remote server. Recommendation The best course of action if you found this package...

Malicious Package

Overview Version 3.7.2 of eslint-scope was published without authorization and was found to contain malicious code. This code would read the users .npmrc file and send any found authentication tokens to 2 remote servers. Recommendation The best course of action if you found this package installed...

Information Exposure on Case Insensitive File Systems

Overview Versions of serve before 7.0.0 are vulnerable to information exposure, bypassing the ignore security control, but only on case insensitive file systems. Recommendation Update to version 7.0.0 or later. References - HackerOne Report - GitHub Advisory...

Cross-Site Scripting

Overview All versions of sexstatic are vulnerable to stored cross-site scripting xss. This is exploitable if an attacker can control a filename that is served by sexstatic. Recommendation As there is no fix is currently available for this vulnerability it is our recommendation to not install or...

Command Injection

Overview Versions of pdf-image before 2.0.0 are vulnerable to command injection. This vulnerability is exploitable if the attacker has control over the pdfFilePath variable passed into pdf-image. Recommendation Update to version 2.0.0 or later. References - HackerOne Report - GitHub Advisory...

Open Redirect

Overview Versions of hekto before 0.2.4 are vulnerable to open redirect when a domain name is used as part of the .html filename. Recommendation Update to version 0.2.4 or later. References - HackerOne Report - PR 3 - GitHub Advisory...

Cross-Site Scripting

Overview All versions of react-marked-markdown are vulnerable to cross-site scripting XSS via href attributes. This is exploitable if user is provided to react-marked-markdown Proof of concept: import React from 'react' import ReactDOM from 'react-dom' import MarkdownPreview from...

Command Injection

Overview All versions of buttle are vulnerable to command injection. Remote command execution is possible when buttle is run with the --php-bin flag. Recommendation No fix is currently available for this vulnerability. It is our recommendation to not install or use this module at this time...

SQL Injection

Overview All versions of query-mysql are vulnerable to SQL injection due to lack of user input sanitization allows to run arbitrary SQL queries when fetching data from database. Recommendation No fix is currently available for this vulnerability. It is our recommendation to not install or use thi...

Path Traversal

Overview Versions of html-pages before 2.1.0 are vulnerable to path traversal. Recommendation Update to version 2.1.0 or later. References - HackerOne Report - GitHub Advisory...

Out-of-bounds Read

Overview Versions of stringstream before 0.0.6 are vulnerable to out-of-bounds read as it allocates uninitialized Buffers when number is passed in input stream on Node.js 4.x and below. Recommendation Upgrade to version 0.0.6 or later. References - HackerOne Report -...

Command Injection

Overview Versions of open before 6.0.0 are vulnerable to command injection when unsanitized user input is passed in. The package does come with the following warning in the readme: The same care should be taken when calling open as if you were calling childprocess.exec directly. If it is an...

SQL Injection

Overview All versions of sql are vulnerable to sql injection as it does not properly escape parameters when building SQL queries. Recommendation No fix is currently available for this vulnerability. It is our recommendation to not install or use this module until a fix is available. References -...

Command Injection

Overview All versions of fs-path are vulnerable to command injection is unsanitized user input is passed in. Recommendation No fix is currently available for this vulnerability. It is our recommendation to not install or use this module until a fix is available. References - HackerOne Report -...

Out-of-bounds Read

Overview Versions of base64-url before 2.0.0 are vulnerable to out-of-bounds read as it allocates uninitialized Buffers when number is passed in input. Recommendation Update to version 2.0.0 or later. References - HackerOne Report - GitHub Advisory...

Command Injection

Overview Versions of command-exists before 1.2.4 are vulnerable to command injection. This is exploitable if user input is provided to this module. Recommendation Update to version 1.2.4 or later. References - HackerOne Report -...

Out-of-bounds Read

Overview Versions of base64url before 3.0.0 are vulnerable to to out-of-bounds reads as it allocates uninitialized Buffers when number is passed in input on Node.js 4.x and below. Recommendation Update to version 3.0.0 or later. References - HackerOne Report - PR 25 - GitHub Advisory...

Out-of-bounds Read

Overview Versions of byte before 1.4.1 allocate uninitialized buffers and read data from them past the initialized length Recommendation Update to version 1.4.1 or later. References - HackerOne Report - PR 3 - GitHub Advisory...

Path Traversal

Overview Versions of angular-http-server before 1.4.4 are vulnerable to path traversal. Recommendation Update to version 1.4.4 or later. References - HackerOne Reporthttps://hackerone.com/reports/330349 - Commit 8bafc95 - GitHub Advisory...

Path Traversal

Overview All versions of localhost-now are vulnerable to path traversal. This vulnerability is a bypass to the path traversal fix introduced in version 1.0.2 Proof of concept: $ curl -v --path-as-is "http://IP:5432/..././..././..././..././..././..././..././..././..././..././etc/passwd"...

Command Injection

Overview All versions of macaddress are vulnerable to command injection. For this vulnerability to be exploited an attacker needs to control the iface argument to the one method. Recommendation Update to version 0.2.9 or later. References - HackerOne Report - Github PR 20 - GitHub Advisory...

Out-of-bounds Read

Overview Versions of npmconf before 2.1.3 allocate and write to disk uninitialized memory contents when a typed number is passed as input on Node.js 4.x. Recommendation Update to version 2.1.3 or later. Consider switching to another config storage mechanism, as npmconf is deprecated and should no...

Path Traversal

Overview All versions of superstatic are vulnerable to path traversal when used on Windows. Additionally, it is vulnerable to path traversal on other platforms combined with certain Node.js versions which erroneously normalize \ to / in paths on all platforms a known example being Node.js v9.9.0...

Malicious Package

Overview ladder-text-js contained a malicious script that attempted to delete all files when npm test was run. Recommendation This module has been unpublished from the npm Registry. If you find this module in your environment remove it. References GitHub Advisory...

Malicious Package

Overview nothing-js contained a malicious script that attempted to delete all files when npm test was run. Recommendation This module has been unpublished from the npm Registry. If you find this module in your environment remove it. References GitHub Advisory...

Malicious Package

Overview The getcookies module contained a backdoor that would allow for a remote attacker to execute arbitrary commands on the system running the malicious module. Recommendation This module should be uninstalled if found used within an application. In addition to removing the installed module,...

Cross-Site Scripting

Overview Versions of react-svg before 2.2.18 are vulnerable to cross-site scripting xss. This is due to the fact that scripts found in SVG files are run by default. Recommendation Update to version 2.2.18 or later. References - GitHub PR 57 - GitHub Advisory...

Denial of Service

Overview All versions of rgb2hex are vulnerable to Regular Expression Denial of Service ReDoS when an attacker can pass in a specially crafted invalid color value. Recommendation Update to version 0.1.6 or later. References - HackerOne Report -...

Out-of-bounds Read

Overview Versions of atob before 2.1.0 uninitialized Buffers when number is passed in input on Node.js 4.x and below. Recommendation Update to version 2.1.0 or later. References - HackerOne Report - GitHub Advisory...

Denial of Service

Overview All versions of foreman are vulnerable to Regular Expression Denial of Service when requests to it are made with a specially crafted path. Recommendation Upgrade to version 3.0.1. References - HackerOne Report - https://github.com/strongloop/node-foreman/blob/v2.0.0/forward.jsL30 - GitHu...

Out-of-bounds Read

Overview Versions of concat-with-sourcemaps before 1.0.6 allocates uninitialized Buffers when a number is passed as a separator. Recommendation Update to version 1.0.6 or later. References - HackerOne Report - Source Reference - GitHub Advisory...

Command Injection

Overview Versions of pdfinfojs before 0.4.1 are vulnerable to command injection. This is exploitable if an attacker can control the filename parameter that is passed into the pdfinfojs constructor. Recommendation Update to version 0.4.1 or later. References - HackerOne Report - Commit 5cc59cd -...

Cross-Site Scripting (XSS)

Overview Versions of cloudcmd before 9.1.6 are vulnerable to cross-site scripting XSS when listing files in a directory. The attacker must control the name of a file for this vulnerability to be exploitable. Recommendation Update to version 9.1.6 or later. References - HackerOne...

Path Traversal

Overview All versions of mcstatic are vulnerable to path traversal. Recommendation No fix is currently available for this vulnerability. It is our recommendation to not install or use this module at this time. References - HackerOne Report - GitHub Advisory...

Malicious Package

Overview Version 1.0.5 of dictum.js contained malicious code. The code when executed in the browser would enumerate password, cvc, cardnumber fields from forms and send the extracted values to https://js-metrics.com/minjs.php?pl= Recommendation If version 1.0.5 of this module is found installed y...

Malicious Package

Overview Version 1.0.14 of nginxbeautifier contained malicious code. The code when executed in the browser would enumerate password, cvc, cardnumber fields from forms and send the extracted values to https://js-metrics.com/minjs.php?pl= Recommendation If version 1.0.14 of this module is found...

Malicious Package

Overview Version 1.0.7 of xoc contained malicious code. The code when executed in the browser would enumerate password, cvc, cardnumber fields from forms and send the extracted values to https://js-metrics.com/minjs.php?pl= Recommendation If version 1.0.7 of this module is found installed you wil...

Malicious Package

Overview Version 1.0.1 of simple-alipay contained malicious code. The code when executed in the browser would enumerate password, cvc, cardnumber fields from forms and send the extracted values to https://js-metrics.com/minjs.php?pl= Recommendation If version 1.0.1 of this module is found install...

Malicious Package

Overview Version 0.4.8 of s3asy contained malicious code. The code when executed in the browser would enumerate password, cvc, cardnumber fields from forms and send the extracted values to https://js-metrics.com/minjs.php?pl= Recommendation If version 0.4.8 of this module is found installed you...

Malicious Package

Overview Version 0.0.7 of react-server-native contained malicious code. The code when executed in the browser would enumerate password, cvc, cardnumber fields from forms and send the extracted values to https://js-metrics.com/minjs.php?pl= Recommendation If version 0.0.7 of this module is found...

Malicious Package

Overview Version 0.3.0 of react-dates-sc contained malicious code. The code when executed in the browser would enumerate password, cvc, cardnumber fields from forms and send the extracted values to https://js-metrics.com/minjs.php?pl= Recommendation If version 0.3.0 of this module is found...

Malicious Package

Overview Version 8.4.3 of rc-calendar-jhorst contained malicious code. The code when executed in the browser would enumerate password, cvc, cardnumber fields from forms and send the extracted values to https://js-metrics.com/minjs.php?pl= Recommendation If version 8.4.3 of this module is found...

Malicious Package

Overview Version 1.0.2 of oauth-validator contained malicious code. The code when executed in the browser would enumerate password, cvc, cardnumber fields from forms and send the extracted values to https://js-metrics.com/minjs.php?pl= Recommendation If version 1.0.2 of this module is found...

Malicious Package

Overview Version 0.1.1 of modlibrary contained malicious code. The code when executed in the browser would enumerate password, cvc, cardnumber fields from forms and send the extracted values to https://js-metrics.com/minjs.php?pl= Recommendation If version 0.1.1 of this module is found installed...

Malicious Package

Overview Version 2.0.10 of json-serializer contained malicious code. The code when executed in the browser would enumerate password, cvc, cardnumber fields from forms and send the extracted values to https://js-metrics.com/minjs.php?pl= Recommendation If version 2.0.10 of this module is found...

Malicious Package

Overview Version 0.0.3 of jasmin contained malicious code. The code when executed in the browser would enumerate password, cvc, cardnumber fields from forms and send the extracted values to https://js-metrics.com/minjs.php?pl= Recommendation If version 0.0.3 of this module is found installed you...

Malicious Package

Overview Version 1.1.7 of impala contained malicious code. The code when executed in the browser would enumerate password, cvc, cardnumber fields from forms and send the extracted values to https://js-metrics.com/minjs.php?pl= Recommendation If version 1.1.7 of this module is found installed you...

Malicious Package

Overview Version 0.0.6 of freshdom contained malicious code. The code when executed in the browser would enumerate password, cvc, cardnumber fields from forms and send the extracted values to https://js-metrics.com/minjs.php?pl= Recommendation If version 0.0.6 of this module is found installed yo...

Malicious Package

Overview Version 0.0.3 of dynamo-schema contained malicious code. The code when executed in the browser would enumerate password, cvc, cardnumber fields from forms and send the extracted values to https://js-metrics.com/minjs.php?pl= Recommendation If version 0.0.3 of this module is found install...