Insecure Default Configuration

Overview Affected versions of airbrake default to sending environment variables over an unencrypted HTTP connection. In scenarios where an attacker has a privileged network position, it is possible for them to capture and read these environment variables, which may result in leaking sensitive...

Arbitrary File Write

Overview Affected versions of cli use predictable temporary file names. If an attacker can create a symbolic link at the location of one of these temporarly file names, the attacker can arbitrarily write to any file that the user which owns the cli process has permission to write to. Proof of...

Timing Attack

Overview Affected versions of csrf-lite are vulnerable to timing attacks as a result of testing CSRF tokens via a fail-early comparison instead of a constant-time comparison. Timing attacks remove the exponential increase in entropy gained from increased secret length, by providing per-character...

Insecure Entropy Source - Math.random()

Overview Affected versions of node-uuid consistently fall back to using Math.random as an entropy source instead of crypto, which may result in guessable UUID's. Recommendation Update to version 1.4.4 or later. References - Issue 108 - Issue 122 - GitHub Advisory...

Private Data Disclosure

Overview Affected versions of express-restify-mongoose are susceptible to an information leakage vulnerability which may allow an attacker to access fields on a model even if those fields are marked as private. Proof of Concept If you have a user model that you want to protect, such as the...

No CSRF Validation

Overview Affected versions of droppy are vulnerable to cross-site socket forgery. The package does not perform verification for cross-domain websocket requests, and as a result, an attacker can create a web page that opens up a websocket connection on behalf of the user visiting the page. The...

Authentication Bypass

Overview Affected versions of the console-io package do not configure the underlying websocket library to require authentication, resulting in an authentication bypass vulnerability. As console-io allows terminal access on the server via a web page, an authentication bypass is essentially remote...

Directory Traversal

Overview Affected versions of restafary are susceptible to a directory traversal vulnerability when a root path is specified in the configuration. Proof of Concept curl -i -s -k -X 'GET' -H 'Authorization: Basic YWRtaW46cGFzc3dvcmQ=' 'http://localhost:8000/api/v1/fs/..%2f..%2fetc/passwd'...

Forgeable Public/Private Tokens

Overview Affected versions of the jws package allow users to select what algorithm the server will use to verify a provided JWT. A malicious actor can use this behaviour to arbitrarily modify the contents of a JWT while still passing verification. For the common use case of the JWT as a bearer...

Forgeable Public/Private Tokens

Overview Affected versions of the jwt-simple package allow users to select what algorithm the server will use to verify a provided JWT. A malicious actor can use this behaviour to arbitrarily modify the contents of a JWT while still passing verification. For the common use case of the JWT, the en...

Regular Expression Denial of Service

Overview Affected versions of riot-compiler are susceptible to a regular expression denial of service vulnerability. Recommendation Update to version 2.3.22 or later. References - Issue 46 - GitHub Advisory...

Sensitive Data In Log Files

Overview Versions of grunt-gh-pages prior to 1.0.0 are affected by a vulnerability which may cause unencrypted github credentials to be written to a log file in certain circumstances. In the grunt-gh-pages deployment scenario where authentication is performed by injecting a github token directly...

Authentication Bypass

Overview Versions of hapi-auth-jwt2 prior to version 5.1.2 are affected by a complete authentication bypass vulnerability when in the try authentication mode. Recommendation Update to version 5.1.2 or later. References - Issue 111 - PR 112 - GitHub Advisory...

Denial of Service and Content Injection

Overview Versions of i18n-node-angular prior to 1.4.0 are affected by denial of service and cross-site scripting vulnerabilities. The vulnerabilities exist in a REST endpoint that was created for development purposes, but was not disabled in production in affected versions. Recommendation Update ...

Regular Expression Denial of Service

Overview Versions of hawk prior to 3.1.3, or 4.x prior to 4.1.1 are affected by a regular expression denial of service vulnerability related to excessively long headers and URI's. Recommendation Update to hawk version 4.1.1 or later. References - Issue 168 - GitHub Advisory...

Regular Expression Denial of Service

Overview Versions of is-my-json-valid prior to 2.12.4 are affected by a regular expression denial of service vulnerability when user input is allowed into a utc-millisec validator. Recommendation Update to version 2.12.4 or later...

Denial of Service

Overview Versions of mqtt-packet prior to 3.4.6, or 4.x prior to 4.0.5 are affected by a denial of service vulnerability wherein specific sequences of MQTT packets can crash the application. Recommendation Version 3.x: Update to version 3.4.6 or later. Version 4.x: Update to version 4.0.5 or late...

Content Injection via TileJSON Name

Overview Versions 1.x prior to 1.6.6 and 2.x prior to 2.2.4 of mapbox.js are vulnerable to a cross-site-scripting attack in certain uncommon usage scenarios. If L.mapbox.map or L.mapbox.shareControl are used in a manner that gives users control of the TileJSON content, it is possible to inject...

Remote Memory Disclosure

Overview Versions of bittorrent-dht prior to 5.1.3 are affected by a remote memory disclosure vulnerability. This vulnerability allows an attacker to send a specific series of of messages to a listening peer and get it to reveal internal memory. There are two mitigating factors here, that slightl...

Remote Memory Disclosure

Overview Versions of ws prior to 1.0.1 are affected by a remote memory disclosure vulnerability. In certain rare circumstances, applications which allow users to control the arguments of a client.ping call will cause ws to send the contents of an allocated but non-zero-filled buffer to the server...

SQL Injection

Overview Versions of mysql prior to 2.0.0-alpha8 are affected by a SQL Injection vulnerability in the mysql.escape function, which does not properly escape object keys. Recommendation Update to version 2.0.0-alpha8 or later. References - Issue 324 - GitHub Advisory...

Unsafe Merging of CORS Configuration Conflict

Overview Versions of hapi prior to 11.1.4 are affected by a vulnerability that causes route-level CORS configuration to override connection-level or server-level CORS defaults. This may result in a situation where CORS permissions are less restrictive than intended. Recommendation Update hapi to...

Denial of Service

Overview Versions of ecstatic prior to 1.4.0 are affected by a denial of service vulnerability when certain input strings are sent via the Last-Modified or If-Modified-Since headers. Parsing certain inputs with new Date or Date.parse cases v8 to crash. As ecstatic passes the value of the affected...

Denial of Service

Overview Versions of hapi prior to 11.1.3 are affected by a denial of service vulnerability. The vulnerability is triggered when certain input is passed into the If-Modified-Since or Last-Modified headers. This causes an 'illegal access' exception to be raised, and instead of sending a HTTP 500...

Cross-Site Scripting

Overview Versions of mustache prior to 2.2.1 are affected by a cross-site scripting vulnerability when attributes in mustache templates are not quoted. Example Template: Input: 'foo' : 'test.com onload=alert1' Rendered result: Recommendation Update to version 2.2.1 or later. Alternatively, ensure...

Cross-Site Scripting

Overview Versions of handlebars prior to 4.0.0 are affected by a cross-site scripting vulnerability when attributes in handlebar templates are not quoted. Proof of Concept Template: Input: 'foo' : 'test.com onload=alert1' Rendered result: Recommendation Update to version 4.0.0 or later...

Authentication Weakness

Overview Versions of keystone prior to 0.3.16 are affected by a partial authentication bypass vulnerability. In the default sign in functionality, if an attacker provides a full and correct password, yet only provides part of the associated email address, authentication will be granted...

Regular Expression Denial of Service

Overview Versions of millisecond prior to 0.1.2 are affected by a regular expression denial of service vulnerability when extremely long version strings are parsed. Proof of concept var ms = require'millisecond'; var genstr = function len, chr var result = ""; for i=0; i=len; i++ result = result ...

Symlink Arbitrary File Overwrite

Overview Versions of tar prior to 2.0.0 are affected by an arbitrary file write vulnerability. The vulnerability occurs because tar does not verify that extracted symbolic links to not resolve to targets outside of the extraction root directory. Recommendation Update to version 2.0.0 or later...

Root Path Disclosure

Overview Versions of send prior to 0.11.2 are affected by an information leakage vulnerability which may allow an attacker to enumerate paths on the server filesystem. Recommendation Update to version 0.11.1 or later. References - PR 70 - Express Changelog - 2015/01/20 - GitHub Advisory...

Regular Expression Denial of Service

Overview Versions of moment prior to 2.11.2 are affected by a regular expression denial of service vulnerability. The vulnerability is triggered when arbitrary user input is passed into moment.duration. Proof of concept var moment = require'moment'; var genstr = function len, chr var result = "";...

Command Injection

Overview Versions of gm prior to 1.21.1 are affected by a command injection vulnerability. The vulnerability is triggered when user input is passed into gm.compare, which fails to sanitize input correctly before calling the graphics magic binary. Recommendation Update to version 1.21.1 or later...

Regular Expression Denial of Service

Overview The jshamcrest package is affected by a regular expression denial of service vulnerability when certain types of user input are passed in to the emailAddress validator. Proof of concept var js = require'jshamcrest' var emailAddress = new js.JsHamcrest.Matchers.emailAddress; var genstr =...

Regular Expression Denial of Service

Overview The jadedown package is affected by a regular expression denial of service vulnerability when certain types of user input are passed in. Proof of concept var jadedown = require'jadedown'; var genstr = function len, chr var result = ""; for i=0; i=len; i++ result = result + chr; return...

Regular Expression Denial of Service

Overview The ansi2html package is affected by a regular expression denial of service vulnerability when certain types of user input is passed in. Proof of concept var ansi2html = require'ansi2html' var start = process.hrtime; ansi2html"1111111111111111111111;0000000000000000000000";...

Insecure Comparison

Overview Versions of secure-compare prior to 3.0.1 are affected by a vulnerability that results in the package always returning true when comparing two strings of the same length, despite differences in the contents of those strings. Recommendation Upgrade to version 3.0.1 or later. References - ...

Content Injection via TileJSON attribute

Overview Versions 1.x prior to 1.6.5 and 2.x prior to 2.1.7 of mapbox.js are vulnerable to a cross-site-scripting attack in certain uncommon usage scenarios. If L.mapbox.map or L.mapbox.tileLayer are used to load untrusted TileJSON content from a non-Mapbox URL, it is possible for a malicious use...

Regular Expression Denial of Service

Overview Versions of uglify-js prior to 2.6.0 are affected by a regular expression denial of service vulnerability when malicious inputs are passed into the parse method. Proof of Concept var u = require'uglify-js'; var genstr = function len, chr var result = ""; for i=0; i=len; i++ result = resu...

Regular Expression Denial of Service

Overview All versions of the bleach package are vulnerable to a regular expression denial of service attack when certain types of input are passed into the sanitize function. Recommendation The bleach package is not currently maintained, and has not seen an update since 2014. To mitigate this...

Regular Expression Denial of Service

Overview Versions of ms prior to 0.7.1 are affected by a regular expression denial of service vulnerability when extremely long version strings are parsed. Proof of Concept javascript var ms = require'ms'; var genstr = function len, chr var result = ""; for i=0; i=len; i++ result = result + chr;...

Incorrect handling of CORS preflight request headers

Overview Versions of hapi prior to 11.0.0 implement CORS incorrectly, allowing for configurations that at best return inconsistent headers, and at worst allow cross-origin activities that are expected to be forbidden. If the connection has CORS enabled but one route has it off, and the route is n...

Regular Expression Denial of Service

Overview Versions of validator prior to 3.22.1 are affected by a regular expression denial of service vulnerability in the isURL method. Recommendation Update to version 3.22.1 or later. References - Issue 152, Comment 48107184 - GitHub Advisory...

Hidden Directories Always Served

Overview Versions 1.1.1 and earlier of inert are vulnerable to an information leakage vulnerability which causes files in hidden directories to be served, even when showHidden is false. The inert directory handler always allows files in hidden directories to be served, even when showHidden is...

Validation Bypass

Overview Versions 2.x.x and earlier of paypal-ipn are affected by a validation bypass vulnerability. paypal-ipn uses the testipn parameter which is set by the PayPal IPN simulator to determine if it should use the production PayPal site or the sandbox. A motivated attacker could craft a request...

Multiple XSS Filter Bypasses

Overview Versions of validator prior to 1.1.0 are affected by several cross-site scripting vulnerabilities due to bypasses discovered in the denylist-based filter. Proof of Concept Various inputs that could bypass the filter were discovered: Improper parsing of nested tags: This is a test...

Directory Traversal

Overview Versions 13.0.8 and earlier of geddy are vulnerable to a directory traversal attack via URI encoded attack vectors. Proof of Concept http://localhost:4000/..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2fetc/passwd Recommendation Update geddy to version =...

Cross-Site Scripting

Overview Versions 1.6.2 and earlier of serve-index are affected by a cross-site scripting vulnerability. Because file and directory names are not escaped in the module's HTML output, a remote attacker that can influence file or directory names can launch a persistent cross-site scripting attack o...

Directory Traversal

Overview All versions of the static file server module nhouston are vulnerable to directory traversal. An attacker can provide input such as ../ to read files outside of the served directory. Recommendation It is recommended that a different module be used, as we have been unable to reacher the...

Verification Bypass

Overview Versions 4.2.1 and earlier of jsonwebtoken are affected by a verification bypass vulnerability. This is a result of weak validation of the JWT algorithm type, occuring when an attacker is allowed to arbitrarily specify the JWT algorithm. Recommendation Update to version 4.2.2 or later...

Incorrect Handling of Non-Boolean Comparisons During Minification

Overview Versions of uglify-js prior to 2.4.24 are affected by a vulnerability which may cause crafted JavaScript to have altered functionality after minification. Recommendation Upgrade UglifyJS to version = 2.4.24. References - Backdooring JS - Yan Zhu@bcrypt - Issue 751 - GitHub Advisory...