Inefficient Algorithmic Complexity

Overview org.webjars.npm:js-yaml is a human-friendly data serialization language. Affected versions of this package are vulnerable to Inefficient Algorithmic Complexity in the storeMappingPair function in loader.js when handling repeated aliases in merge sequences. An attacker can exhaust CPU...

Directory Traversal

Overview Affected versions of this package are vulnerable to Directory Traversal via the inputSourceMap function. An attacker can access arbitrary files by crafting malicious input source code containing a sourceMappingURL comment that references a specific source map file path. Note: This is onl...

Use of Cache Containing Sensitive Information

Overview @angular/service-worker is an Angular - service worker tooling! Affected versions of this package are vulnerable to Use of Cache Containing Sensitive Information in the request reconstruction. An attacker can access sensitive session data or cached private resources by exploiting the...

Allocation of Resources Without Limits or Throttling

Overview Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling via the formatNumber function when the digitsInfo parameter is controlled by untrusted user input. An attacker can exhaust system resources and cause application unavailability by...

Use of Cache Containing Sensitive Information

Overview Affected versions of this package are vulnerable to Use of Cache Containing Sensitive Information via the HttpTransferCache utility. An attacker can access sensitive user-specific information by making requests to pages that have been cached by a shared caching layer after another user h...

Cross-site Scripting (XSS)

Overview @angular/core is a package that lets you write client-side web applications as if you had a smarter browser. It also lets you use HTML as your template language and lets you extend HTML’s syntax to express your application’s components clearly and succinctly. Affected versions of this...

Use of Cache Containing Sensitive Information

Overview @angular/service-worker is an Angular - service worker tooling! Affected versions of this package are vulnerable to Use of Cache Containing Sensitive Information in the request reconstruction. An attacker can access sensitive session-restricted data or expose credentials by exploiting...

Server-side Request Forgery (SSRF)

Overview @angular/platform-server is an Angular - library for using Angular in Node.js Affected versions of this package are vulnerable to Server-side Request Forgery SSRF via a parser differential between the strict WHATWG URL parser used for allowlist validation and the lenient Domino URL parse...

Asymmetric Resource Consumption (Amplification)

Overview ws is a simple to use websocket client, server and console for node.js. Affected versions of this package are vulnerable to Asymmetric Resource Consumption Amplification when handling a large number of very small fragments and data chunks. An attacker can cause excessive memory allocatio...

Asymmetric Resource Consumption (Amplification)

Overview org.webjars.npm:ws is a simple to use websocket client, server and console for node.js. Affected versions of this package are vulnerable to Asymmetric Resource Consumption Amplification when handling a large number of very small fragments and data chunks. An attacker can cause excessive...

Uncontrolled Recursion

Overview Affected versions of this package are vulnerable to Uncontrolled Recursion via deeply nested field names in multipart form data. An attacker can exhaust CPU and memory resources by sending a single HTTP request with a crafted multipart body containing excessively nested field names...

Uncontrolled Recursion

Overview Affected versions of this package are vulnerable to Uncontrolled Recursion via deeply nested field names in multipart form data. An attacker can exhaust CPU and memory resources by sending a single HTTP request with a crafted multipart body containing excessively nested field names...

Modification of Assumed-Immutable Data

Overview @angular/core is a package that lets you write client-side web applications as if you had a smarter browser. It also lets you use HTML as your template language and lets you extend HTML’s syntax to express your application’s components clearly and succinctly. Affected versions of this...

Malicious Package

Overview um4r719-baileys is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that organization and this package...

Prototype Pollution

Overview jsonata is a JSON query and transformation language Affected versions of this package are vulnerable to Prototype Pollution via several functions, including createFrame and bind. An attacker can modify object prototype attributes directly. In an additional vector, the attacker can pollut...

Prototype Pollution

Overview org.webjars.npm:jsonata is a JSON query and transformation language Affected versions of this package are vulnerable to Prototype Pollution via several functions, including createFrame and bind. An attacker can modify object prototype attributes directly. In an additional vector, the...

Malicious Package

Overview express-initial is a malicious package. that installs "socket io" as a remote access trojan RAT, then fetch a second-stage payload 0001.dat from the same command-and-control C2 server and execute it. The C2 is linked to FAMOUS CHOLLIMA, a North Korean DPRK group behind the "Contagious...

Malicious Package

Overview bubblesearch is a malicious package. that installs "socket io" as a remote access trojan RAT, then fetch a second-stage payload 0001.dat from the same command-and-control C2 server and execute it. The C2 is linked to FAMOUS CHOLLIMA, a North Korean DPRK group behind the "Contagious...

Malicious Package

Overview @array-util/nodepull is a malicious package. that installs "socket io" as a remote access trojan RAT, then fetch a second-stage payload 0001.dat from the same command-and-control C2 server and execute it. The C2 is linked to FAMOUS CHOLLIMA, a North Korean DPRK group behind the "Contagio...

Malicious Package

Overview xnder-sdk-js is a malicious package. that installs "socket io" as a remote access trojan RAT, then fetch a second-stage payload 0001.dat from the same command-and-control C2 server and execute it. The C2 is linked to FAMOUS CHOLLIMA, a North Korean DPRK group behind the "Contagious...

Malicious Package

Overview bubblestring is a malicious package. that installs "socket io" as a remote access trojan RAT, then fetch a second-stage payload 0001.dat from the same command-and-control C2 server and execute it. The C2 is linked to FAMOUS CHOLLIMA, a North Korean DPRK group behind the "Contagious...

Malicious Package

Overview @antoncarlos1/nodelamp is a malicious package. that installs "socket io" as a remote access trojan RAT, then fetch a second-stage payload 0001.dat from the same command-and-control C2 server and execute it. The C2 is linked to FAMOUS CHOLLIMA, a North Korean DPRK group behind the...

Malicious Package

Overview @array-util/subsearch is a malicious package. that installs "socket io" as a remote access trojan RAT, then fetch a second-stage payload 0001.dat from the same command-and-control C2 server and execute it. The C2 is linked to FAMOUS CHOLLIMA, a North Korean DPRK group behind the...

Malicious Package

Overview @node-cloud/create is a malicious package. that installs "socket io" as a remote access trojan RAT, then fetch a second-stage payload 0001.dat from the same command-and-control C2 server and execute it. The C2 is linked to FAMOUS CHOLLIMA, a North Korean DPRK group behind the "Contagious...

Malicious Package

Overview @sql-trigger/nodesql is a malicious package. that installs "socket io" as a remote access trojan RAT, then fetch a second-stage payload 0001.dat from the same command-and-control C2 server and execute it. The C2 is linked to FAMOUS CHOLLIMA, a North Korean DPRK group behind the "Contagio...

Malicious Package

Overview @apiwizards/company-auth-sdk is a malicious package. that installs "socket io" as a remote access trojan RAT, then fetch a second-stage payload 0001.dat from the same command-and-control C2 server and execute it. The C2 is linked to FAMOUS CHOLLIMA, a North Korean DPRK group behind the...

Malicious Package

Overview @sqlite-node/createsql is a malicious package. that installs "socket io" as a remote access trojan RAT, then fetch a second-stage payload 0001.dat from the same command-and-control C2 server and execute it. The C2 is linked to FAMOUS CHOLLIMA, a North Korean DPRK group behind the...

Malicious Package

Overview @apiwizards/auth-middleware is a malicious package. that installs "socket io" as a remote access trojan RAT, then fetch a second-stage payload 0001.dat from the same command-and-control C2 server and execute it. The C2 is linked to FAMOUS CHOLLIMA, a North Korean DPRK group behind the...

Malicious Package

Overview @apiwizards/api-client is a malicious package. that installs "socket io" as a remote access trojan RAT, then fetch a second-stage payload 0001.dat from the same command-and-control C2 server and execute it. The C2 is linked to FAMOUS CHOLLIMA, a North Korean DPRK group behind the...

Malicious Package

Overview subsearch is a malicious package. that installs "socket io" as a remote access trojan RAT, then fetch a second-stage payload 0001.dat from the same command-and-control C2 server and execute it. The C2 is linked to FAMOUS CHOLLIMA, a North Korean DPRK group behind the "Contagious Intervie...

Malicious Package

Overview bootstrap-utils is a malicious package. that installs "socket io" as a remote access trojan RAT, then fetch a second-stage payload 0001.dat from the same command-and-control C2 server and execute it. The C2 is linked to FAMOUS CHOLLIMA, a North Korean DPRK group behind the "Contagious...

UNIX Symbolic Link (Symlink) Following

Overview github.com/opencontainers/runc/libcontainer is a package for a modern container runtime. Affected versions of this package are vulnerable to UNIX Symbolic Link Symlink Following in setupPtmx and setupDevSymlinks, which enable file deletion via calls to os.Remove and os.Symlink. An attack...

UNIX Symbolic Link (Symlink) Following

Overview Affected versions of this package are vulnerable to UNIX Symbolic Link Symlink Following in setupPtmx and setupDevSymlinks, which enable file deletion via calls to os.Remove and os.Symlink. An attacker who supplies a container image whose /dev is a symlink can redirect these operations...

Credential Exposure

Overview Affected versions of this package are vulnerable to Credential Exposure in jsonnetfetcher.go‎ that may expose the Kubernetes service account token of the Grafana Operator manager to users with sufficient privileges to create Dashboard or LibraryPanel resources. This token can be used to...

Credential Exposure

Overview Affected versions of this package are vulnerable to Credential Exposure in jsonnetfetcher.go‎ that may expose the Kubernetes service account token of the Grafana Operator manager to users with sufficient privileges to create Dashboard or LibraryPanel resources. This token can be used to...

Time-of-check Time-of-use (TOCTOU) Race Condition

Overview openclaw is a 🦞 OpenClaw — Personal AI Assistant Affected versions of this package are vulnerable to Time-of-check Time-of-use TOCTOU Race Condition via the shell wrapper argv. An attacker can execute unauthorized commands by modifying command arguments after allowlist approval but befor...

Missing Authorization

Overview openclaw is a 🦞 OpenClaw — Personal AI Assistant Affected versions of this package are vulnerable to Missing Authorization via the bundle MCP loopback session-spawn path. An attacker can gain unauthorized access to restricted commands by bypassing intended command restrictions through...

Time-of-check Time-of-use (TOCTOU) Race Condition

Overview openclaw is a 🦞 OpenClaw — Personal AI Assistant Affected versions of this package are vulnerable to Time-of-check Time-of-use TOCTOU Race Condition via the system.run safe-bin allowlist validation. An attacker can access arbitrary files and expose sensitive configuration data by injecti...

Server-side Request Forgery (SSRF)

Overview openclaw is a 🦞 OpenClaw — Personal AI Assistant Affected versions of this package are vulnerable to Server-side Request Forgery SSRF via the message.action forwarding. An attacker can obtain sensitive credentials by supplying malicious loopback URLs through model-controlled action...

User Interface (UI) Misrepresentation of Critical Information

Overview openclaw is a 🦞 OpenClaw — Personal AI Assistant Affected versions of this package are vulnerable to User Interface UI Misrepresentation of Critical Information via the approval display truncation. An attacker can execute unauthorized operations by submitting oversized exec commands with...

Insufficient Session Expiration

Overview openclaw is a 🦞 OpenClaw — Personal AI Assistant Affected versions of this package are vulnerable to Insufficient Session Expiration via the secret revocation webhook. An attacker can maintain access using previously valid webhook secrets by sending webhook events during the period after...

User Impersonation

Overview openclaw is a 🦞 OpenClaw — Personal AI Assistant Affected versions of this package are vulnerable to User Impersonation in the allowFrom feature that relies on mutable Slack display names. An attacker can gain unauthorized access to agent privileges by modifying their Slack display name ...

Time-of-check Time-of-use (TOCTOU) Race Condition

Overview openclaw is a 🦞 OpenClaw — Personal AI Assistant Affected versions of this package are vulnerable to Time-of-check Time-of-use TOCTOU Race Condition via the node pairing reconnection. An attacker can gain unauthorized node authority by exploiting logic flaws that allow restoration or...

Cross-site Scripting (XSS)

Overview apostrophe is a content management system CMS for Node.js. It supports in-context editing, schema-driven content types, flexible widgets and a great deal more. This module contains everything necessary to build a website with ApostropheCMS. Affected versions of this package are vulnerabl...

Server-side Request Forgery (SSRF)

Overview apostrophe is a content management system CMS for Node.js. It supports in-context editing, schema-driven content types, flexible widgets and a great deal more. This module contains everything necessary to build a website with ApostropheCMS. Affected versions of this package are vulnerabl...

Cross-site Scripting (XSS)

Overview sanitize-html is a library that allows you to clean up user-submitted HTML, preserving whitelisted elements and whitelisted attributes on a per-element basis Affected versions of this package are vulnerable to Cross-site Scripting XSS incomplete validation of URI schemes in attributes su...

Cross-site Scripting (XSS)

Overview Affected versions of this package are vulnerable to Cross-site Scripting XSS incomplete validation of URI schemes in attributes such as action, formaction, data, poster, and background. An attacker can execute arbitrary scripts in the context of the user’s browser by injecting a crafted...

Cross-site Scripting (XSS)

Overview @apostrophecms/seo is a SEO Tools for ApostropheCMS Affected versions of this package are vulnerable to Cross-site Scripting XSS via the injection of unsanitized values from the seoGoogleTrackingId and seoGoogleTagManager fields into the contents of a tag. A user with editor-level access...

Prototype Pollution

Overview apostrophe is a content management system CMS for Node.js. It supports in-context editing, schema-driven content types, flexible widgets and a great deal more. This module contains everything necessary to build a website with ApostropheCMS. Affected versions of this package are vulnerabl...

Improper Encoding or Escaping of Output

Overview fabric is an Object model for HTML5 canvas, and SVG-to-canvas parser. Backed by jsdom and node-canvas. Affected versions of this package are vulnerable to Improper Encoding or Escaping of Output via the toSVG and getSvgStyles/getSvgSpanStyles paths in the gradient, object, and text SVG...