Top reports from Node.js third-party modules program at HackerOne:
- [http_server] Stored XSS in the filename when directories listing to Node.js third-party modules - 61 upvotes, $0
- Server-Side Request Forgery (SSRF) in Ghost CMS to Node.js third-party modules - 40 upvotes, $0
- property-expr - Prototype pollution to Node.js third-party modules - 33 upvotes, $0
- Fastify denial-of-service vulnerability with large JSON payloads to Node.js third-party modules - 25 upvotes, $0
- Pixel flood attack cause the javascript heap out of memory to Node.js third-party modules - 25 upvotes, $0
- [Uppy] Internal Server side request forgery (bypass of #786956) to Node.js third-party modules - 22 upvotes, $0
- [socket.io] Cross-Site Websocket Hijacking to Node.js third-party modules - 22 upvotes, $0
- [takeapeek] XSS via HTML tag injection in directory lisiting page to Node.js third-party modules - 21 upvotes, $0
- Server Side Request Forgery in Uppy npm module to Node.js third-party modules - 21 upvotes, $0
- [glance] Access unlisted internal files/folders revealing sensitive information to Node.js third-party modules - 19 upvotes, $0
- [seeftl] Stored XSS when directory listing via filename. to Node.js third-party modules - 19 upvotes, $0
- bunyan - RCE via insecure command formatting to Node.js third-party modules - 17 upvotes, $0
- [buttle] Unsafe rendering of Markdown files to Node.js third-party modules - 16 upvotes, $0
- [Total.js] Path traversal vulnerability allows to read files outside public directory to Node.js third-party modules - 16 upvotes, $0
- Prototype pollution attack (lodash) to Node.js third-party modules - 16 upvotes, $0
- [serve] Directory listing and File access even when they have been set to be ignored. to Node.js third-party modules - 15 upvotes, $0
- [pdfinfojs] Command Injection on filename parameter to Node.js third-party modules - 15 upvotes, $0
- List any file in the folder by using path traversal to Node.js third-party modules - 15 upvotes, $0
- [bower] Arbitrary File Write through improper validation of symlinks while package extraction to Node.js third-party modules - 15 upvotes, $0
- Reflected XSS in the npm module express-cart. to Node.js third-party modules - 15 upvotes, $0
- [typeorm] SQL Injection to Node.js third-party modules - 15 upvotes, $0
- Several simple remote code execution in pdf-image to Node.js third-party modules - 15 upvotes, $0
- [logkitty] RCE via insecure command formatting to Node.js third-party modules - 15 upvotes, $0
- [query-mysql] SQL Injection due to lack of user input sanitization allows to run arbitrary SQL queries when fetching data from database to Node.js third-party modules - 14 upvotes, $0
- [ascii-art] Command injection to Node.js third-party modules - 14 upvotes, $0
- [untitled-model] sql injection to Node.js third-party modules - 14 upvotes, $0
- [tree-kill] RCE via insecure command concatenation (only Windows) to Node.js third-party modules - 14 upvotes, $0
- Prototype pollution attack (lodash / constructor.prototype) to Node.js third-party modules - 14 upvotes, $0
- [nested-property] Prototype Pollution to Node.js third-party modules - 14 upvotes, $0
- Code Injection Vulnerability in morgan Package to Node.js third-party modules - 13 upvotes, $0
- flatmap-stream malicious package (distributed via the popular events-stream) to Node.js third-party modules - 13 upvotes, $0
- [serve] Access unlisted internal files/folders revealing sensitive information to Node.js third-party modules - 13 upvotes, $0
- OS Command Injection on Jison [all-parser-ports] to Node.js third-party modules - 13 upvotes, $0
- [hekto] Path Traversal vulnerability allows to read content of arbitrary files to Node.js third-party modules - 12 upvotes, $0
- [htmr] DOM-based XSS to Node.js third-party modules - 12 upvotes, $0
- [m-server] XSS reflected because path does not escapeHtml to Node.js third-party modules - 12 upvotes, $0
- [html-pages] Path Traversal in html-pages module allows to read any file from the server with curl to Node.js third-party modules - 11 upvotes, $0
- Unrestricted file upload (RCE) to Node.js third-party modules - 11 upvotes, $0
- [buttle] Path traversal in mid-buttle module allows to read any file in the server. to Node.js third-party modules - 11 upvotes, $0
memjs
allocates and stores buffers on typed input, resulting in DoS and uninitialized memory usage to Node.js third-party modules - 11 upvotes, $0- Privilege escalation allows any user to add an administrator to Node.js third-party modules - 11 upvotes, $0
- [simplehttpserver] List any file in the folder by using path traversal. to Node.js third-party modules - 11 upvotes, $0
- Application level denial of service due to shutting down the server to Node.js third-party modules - 11 upvotes, $0
- [fileview] Inadequate Output Encoding and Escaping to Node.js third-party modules - 11 upvotes, $0
- Denial Of Service in Strapi Framework using argument injection to Node.js third-party modules - 11 upvotes, $0
- [devcert] Command Injection via insecure command formatting to Node.js third-party modules - 11 upvotes, $0
- [serve] Directory index of arbitrary folder available due to lack of sanitization of %2e and %2f characters in url to Node.js third-party modules - 10 upvotes, $0
- Prototype pollution attack (lodash) to Node.js third-party modules - 10 upvotes, $0
protobufjs
is vulnerable to ReDoS when parsing crafted invalid *.proto files to Node.js third-party modules - 10 upvotes, $0- [hekto] open redirect when target domain name is used as html filename on server to Node.js third-party modules - 10 upvotes, $0
- [flintcms] Account takeover due to blind MongoDB injection in password reset to Node.js third-party modules - 10 upvotes, $0
- [samsung-remote] Command injection to Node.js third-party modules - 10 upvotes, $0
- [apex-publish-static-files] Command Injection on connectString to Node.js third-party modules - 10 upvotes, $0
- Command Injection Vulnerability in kill-port Package to Node.js third-party modules - 10 upvotes, $0
- [http-file-server] Stored XSS in the filename when directories listing to Node.js third-party modules - 10 upvotes, $0
- Server Side JavaScript Code Injection to Node.js third-party modules - 10 upvotes, $0
- Prototype pollution in dot-prop to Node.js third-party modules - 10 upvotes, $0
- [i18next] Prototype pollution attack to Node.js third-party modules - 10 upvotes, $0
- [html-janitor] Bypassing sanitization using DOM clobbering to Node.js third-party modules - 9 upvotes, $0
- [localhost-now] Path Traversal allows to read content of arbitrary file to Node.js third-party modules - 9 upvotes, $0
- [general-file-server] Path Traversal vulnerability allows to read content on arbitrary file on the server to Node.js third-party modules - 9 upvotes, $0
whereis
concatenates unsanitized input into exec() command to Node.js third-party modules - 9 upvotes, $0- [statics-server] XSS via injected iframe in file name when statics-server displays directory index in the browser to Node.js third-party modules - 9 upvotes, $0
- Prototype pollution attack (merge.recursive) to Node.js third-party modules - 9 upvotes, $0
- Command Injection Vulnerability in libnmap Package to Node.js third-party modules - 9 upvotes, $0
- [webpack-bundle-analyzer] Cross-site Scripting to Node.js third-party modules - 9 upvotes, $0
- [express-laravel-passport] Improper Authentication to Node.js third-party modules - 9 upvotes, $0
- Stored XSS (Hexo-admin plugin) to Node.js third-party modules - 9 upvotes, $0
- Prototype pollution in multipart parsing to Node.js third-party modules - 9 upvotes, $0
- Prototype Pollution lodash 4.17.15 to Node.js third-party modules - 9 upvotes, $0
- [simplehttpserver] Stored XSS in file names leads to malicious JavaScript code execution when directory listing is output in HTML to Node.js third-party modules - 8 upvotes, $0
- [bracket-template] Reflected XSS possible when variable passed via GET parameter is used in template to Node.js third-party modules - 8 upvotes, $0
- [markdown-pdf] Local file reading to Node.js third-party modules - 8 upvotes, $0
- url-parse package return wrong hostname to Node.js third-party modules - 8 upvotes, $0
- Command Injection is ps Package to Node.js third-party modules - 8 upvotes, $0
- [knightjs] Path Traversal allows to read content of arbitrary files to Node.js third-party modules - 8 upvotes, $0
- Prototype pollution attack through jQuery $.extend to Node.js third-party modules - 8 upvotes, $0
- Remote code executio in NPM package getcookies to Node.js third-party modules - 8 upvotes, $0
- [serve-here.js] List any file in the folder by using path traversal. to Node.js third-party modules - 8 upvotes, $0
- Yarn transfers npm credentials over unencrypted http connection to Node.js third-party modules - 8 upvotes, $0
- gitlabhook OS Command Injection to Node.js third-party modules - 8 upvotes, $0
- Path traversal using symlink to Node.js third-party modules - 8 upvotes, $0
- [atlasboard-atlassian-package] Cross-site Scripting (XSS) to Node.js third-party modules - 8 upvotes, $0
- [jsreport] Remote Code Execution to Node.js third-party modules - 8 upvotes, $0
- SQL Injection or Denial of Service due to a Prototype Pollution to Node.js third-party modules - 8 upvotes, $0
- [min-http-server] List any file in the folder by using path traversal. to Node.js third-party modules - 8 upvotes, $0
- Default behavior of Fastifys versioned routes can be used for cache poisoning when Fastify is used in combination with a http cache / CDN to Node.js third-party modules - 8 upvotes, $0
- [wireguard-wrapper] Command Injection via insecure command concatenation to Node.js third-party modules - 8 upvotes, $0
- Path Traversal on Resolve-Path to Node.js third-party modules - 7 upvotes, $0
- [angular-http-server] Path Traversal in angular-http-server.js allows to read arbitrary file from the remote server to Node.js third-party modules - 7 upvotes, $0
- [glance] Path Traversal in glance static file server allows to read content of arbitrary file to Node.js third-party modules - 7 upvotes, $0
- [stattic] Inproper path validation leads to Path Traversal and allows to read arbitrary files with any extension(s) to Node.js third-party modules - 7 upvotes, $0
- [metascraper] Stored XSS in Open Graph meta properties read by metascrapper to Node.js third-party modules - 7 upvotes, $0
- [crud-file-server] Path Traversal allows to read arbitrary file from the server to Node.js third-party modules - 7 upvotes, $0
http-proxy-agent
passes unsanitized options to Buffer(arg), resulting in DoS and uninitialized memory leak to Node.js third-party modules - 7 upvotes, $0- Remote Command Execution vulnerability in pullit to Node.js third-party modules - 7 upvotes, $0
- Insecure implementation of deserialization in cryo to Node.js third-party modules - 7 upvotes, $0
- Stored XSS in Node-Red to Node.js third-party modules - 7 upvotes, $0
- [egg-scripts] Command injection to Node.js third-party modules - 7 upvotes, $0
- Prototype pollution attack (defaults-deep / constructor.prototype) to Node.js third-party modules - 7 upvotes, $0
- Samlify is vulnerable to signature wrapping to Node.js third-party modules - 7 upvotes, $0
- [http-file-server] List any files and sub folders in the folder by using path traversal. to Node.js third-party modules - 7 upvotes, $0
- [larvitbase-api] Unintended Require to Node.js third-party modules - 7 upvotes, $0
- [klona] Prototype pollution to Node.js third-party modules - 7 upvotes, $0
- [reveal.js] XSS by calling arbitrary method via postMessage to Node.js third-party modules - 7 upvotes, $0
- [blamer] RCE via insecure command formatting to Node.js third-party modules - 7 upvotes, $0
- [git-promise] RCE via insecure command formatting to Node.js third-party modules - 7 upvotes, $0
- [cloudron-surfer] Denial of Service via LDAP Injection to Node.js third-party modules - 7 upvotes, $0
- [@knutkirkhorn/free-space] - Command Injection through Lack of Sanitization to Node.js third-party modules - 7 upvotes, $0
- Bypass of SSRF Vulnerability to Node.js third-party modules - 7 upvotes, $0
- Server-side Template Injection in lodash.js to Node.js third-party modules - 7 upvotes, $0
- [626] Path Traversal allows to read arbitrary file from remote server to Node.js third-party modules - 6 upvotes, $0
- [anywhere] An iframe element with url to malicious HTML file (with eg. JavaScript malware) can be used as filename and served via anywhere to Node.js third-party modules - 6 upvotes, $0
- [uppy] Stored XSS due to crafted SVG file to Node.js third-party modules - 6 upvotes, $0
- [simple-server] HTML with iframe element can be used as filename, which might lead to load and execute malicious JavaScript to Node.js third-party modules - 6 upvotes, $0
- [node-srv] Path Traversal allows to read arbitrary files from remote server to Node.js third-party modules - 6 upvotes, $0
https-proxy-agent
passes unsanitized options to Buffer(arg), resulting in DoS and uninitialized memory leak to Node.js third-party modules - 6 upvotes, $0- [mcstatic] Path Traversal allows to read content of arbitrary files to Node.js third-party modules - 6 upvotes, $0
command-exists
concatenates unsanitized input into exec()/execSync() commands to Node.js third-party modules - 6 upvotes, $0- [mcstatic] Server Directory Traversal to Node.js third-party modules - 6 upvotes, $0
- Insecure implementation of deserialization in funcster to Node.js third-party modules - 6 upvotes, $0
- [serve] Server Directory Traversal to Node.js third-party modules - 6 upvotes, $0
- Arbitrary File Write Through Archive Extraction to Node.js third-party modules - 6 upvotes, $0
- [express-cart] Customer and admin email enumeration through MongoDB injection to Node.js third-party modules - 6 upvotes, $0
- [takeapeek] Path traversal allow to expose directory and files to Node.js third-party modules - 6 upvotes, $0
- [tianma-static] Stored xss on filename to Node.js third-party modules - 6 upvotes, $0
- Prototype Pollution Vulnerability in mpath Package to Node.js third-party modules - 6 upvotes, $0
- Prototype pollution attack (lutils-merge) to Node.js third-party modules - 6 upvotes, $0
- [static-resource-server] Path Traversal allows to read content of arbitrary file on the server to Node.js third-party modules - 6 upvotes, $0
- [domokeeper] Unintended Require to Node.js third-party modules - 6 upvotes, $0
- [larvitbase-www] Unintended Require to Node.js third-party modules - 6 upvotes, $0
- Lodash "difference" (possibly others) Function Denial of Service Through Unvalidated Input to Node.js third-party modules - 6 upvotes, $0
- [url-parse] Improper Validation and Sanitization to Node.js third-party modules - 6 upvotes, $0
- Arbitrary code execution via untrusted schemas in is-my-json-valid to Node.js third-party modules - 6 upvotes, $0
- [wappalyzer] ReDoS allows an attacker to completely break Wappalyzer to Node.js third-party modules - 6 upvotes, $0
- [notevil] - Sandbox Escape Lead to RCE on Node.js and XSS in the Browser to Node.js third-party modules - 6 upvotes, $0
- [freespace] Command Injection due to Lack of Sanitization to Node.js third-party modules - 6 upvotes, $0
- [last-commit-log] Command Injection to Node.js third-party modules - 6 upvotes, $0
- [html-janitor] Passing user-controlled data to clean() leads to XSS to Node.js third-party modules - 5 upvotes, $0
sshpk
is vulnerable to ReDoS when parsing crafted invalid public keys to Node.js third-party modules - 5 upvotes, $0atob
allocates uninitialized Buffers when number is passed in input on Node.js 4.x and below to Node.js third-party modules - 5 upvotes, $0- [public] Stored XSS in filenames in directory served by public to Node.js third-party modules - 5 upvotes, $0
superstatic
is vulnerable to path traversal on Windows to Node.js third-party modules - 5 upvotes, $0macaddress
concatenates unsanitized input into exec() command to Node.js third-party modules - 5 upvotes, $0base64-url
below 2.0 allocates uninitialized Buffers when number is passed in input to Node.js third-party modules - 5 upvotes, $0- The react-marked-markdown module allows XSS injection in href values. to Node.js third-party modules - 5 upvotes, $0
- [serve] Directory listing and File access even when they have been set to be ignored to Node.js third-party modules - 5 upvotes, $0
- [public] Stored XSS in the filename when directories listing to Node.js third-party modules - 5 upvotes, $0
- [html-pages] Stored XSS in the filename when directories listing to Node.js third-party modules - 5 upvotes, $0
njwt
allocates uninitialized Buffers when number is passed in base64urlEncode input to Node.js third-party modules - 5 upvotes, $0- [git-dummy-commit] Command injection on the msg parameter to Node.js third-party modules - 5 upvotes, $0
- [bruteser] Path Traversal allows to read content of arbitrary file to Node.js third-party modules - 5 upvotes, $0
- [entitlements] Command injection on the 'path' parameter to Node.js third-party modules - 5 upvotes, $0
- stored xss in scrape-metadata when reading metadata from an html page to Node.js third-party modules - 5 upvotes, $0
- Arbitrary File Write through archive extraction to Node.js third-party modules - 5 upvotes, $0
- Prototype pollution attack (extend) to Node.js third-party modules - 5 upvotes, $0
- http-live-simulator npm module is prone to path traversal attacks to Node.js third-party modules - 5 upvotes, $0
- Code Injection Vulnerability in dot Package to Node.js third-party modules - 5 upvotes, $0
- [statichttpserver] List any file in the folder by using path traversal. to Node.js third-party modules - 5 upvotes, $0
- [node-df] RCE via insecure command concatenation to Node.js third-party modules - 5 upvotes, $0
- Lack of input validation and sanitization in react-autolinker-wrapper library causes XSS to Node.js third-party modules - 5 upvotes, $0
- [script-manager] Unintended require to Node.js third-party modules - 5 upvotes, $0
- [extend-merge] Prototype pollution to Node.js third-party modules - 5 upvotes, $0
- [json8-merge-patch] Prototype Pollution to Node.js third-party modules - 5 upvotes, $0
- [arpping] Remote Code Execution to Node.js third-party modules - 5 upvotes, $0
- Fastify uses allErrors: true ajv configuration by default which is susceptible to DoS to Node.js third-party modules - 4 upvotes, $250
- [serve-here] Static Web Server Directory Traversal via Crafted GET Request to Node.js third-party modules - 4 upvotes, $0
- [featurebook] Specification Server Directory Traversal via Crafted Browser Request to Node.js third-party modules - 4 upvotes, $0
- [redis-commander] Reflected SWF XSS via vulnerable "clipboard.swf" component to Node.js third-party modules - 4 upvotes, $0
- Prototype pollution attack (Hoek) to Node.js third-party modules - 4 upvotes, $0
- Prototype pollution attack (mixin-deep) to Node.js third-party modules - 4 upvotes, $0
- Prototype pollution attack (assign-deep) to Node.js third-party modules - 4 upvotes, $0
- [public] Path Traversal allows to read content of arbitrary files to Node.js third-party modules - 4 upvotes, $0
- [crud-file-server] Stored XSS in filenames when directory index is served by crud-file-server to Node.js third-party modules - 4 upvotes, $0
- [glance] Stored XSS via file name allows to run arbitrary JavaScript when directory listing is displayed in browser to Node.js third-party modules - 4 upvotes, $0
- Prototype pollution attack (deep-extend) to Node.js third-party modules - 4 upvotes, $0
- [angular-http-server] Server Directory Traversal to Node.js third-party modules - 4 upvotes, $0
- Bypass to defective fix of Path Traversal to Node.js third-party modules - 4 upvotes, $0
- [buttle] Remote Command Execution via unsanitized PHP filename when it's run with --php-bin flag to Node.js third-party modules - 4 upvotes, $0
base64url
allocates uninitialized Buffers when number is passed in input on Node.js 4.x and below to Node.js third-party modules - 4 upvotes, $0byte
allocates uninitialized buffers and reads data from them past the initialized length to Node.js third-party modules - 4 upvotes, $0- [localhost-now] bypassing url filter which leads to read content of arbitrary file to Node.js third-party modules - 4 upvotes, $0
put
allocates uninitialized Buffers when non-round numbers are passed in input to Node.js third-party modules - 4 upvotes, $0- [ponse] Path traversal in ponse module allows to read any file on server to Node.js third-party modules - 4 upvotes, $0
- [exceljs] Possible XSS via cell value when worksheet is displayed in browser to Node.js third-party modules - 4 upvotes, $0
- [serve] XSS via HTML tag injection in directory lisiting page to Node.js third-party modules - 4 upvotes, $0
- [serve] Stored XSS in the filename when directories listing to Node.js third-party modules - 4 upvotes, $0
- Prototype pollution attack in just-extend to Node.js third-party modules - 4 upvotes, $0
- Prototype pollution attack (upmerge) to Node.js third-party modules - 4 upvotes, $0
- XSS in Bootbox to Node.js third-party modules - 4 upvotes, $0
- [https-proxy-agent] Socket returned without TLS upgrade on non-200 CONNECT response, allowing request data to be sent over unencrypted connection to Node.js third-party modules - 4 upvotes, $0
- Trojan:JS/CoinMiner in npm files to Node.js third-party modules - 4 upvotes, $0
- Command Injection due to lack of sanitisation of tar.gz filename passed as an argument to pm2.install() function to Node.js third-party modules - 4 upvotes, $0
- [utils-extend] Prototype pollution to Node.js third-party modules - 4 upvotes, $0
- [Limited bypass of #793704] Blind SSRF in Ghost CMS to Node.js third-party modules - 4 upvotes, $0
- [crypto-js] Insecure entropy source - Math.random() to Node.js third-party modules - 4 upvotes, $0
- [wappalyzer] ReDoS allows an attacker to completely break Wappalyzer to Node.js third-party modules - 4 upvotes, $0
- [sapper] Path Traversal to Node.js third-party modules - 4 upvotes, $0
- [express-cart] Wide CSRF in application to Node.js third-party modules - 4 upvotes, $0
- [hnzserver] Path Traversal allowing to read any files on the server to Node.js third-party modules - 4 upvotes, $0
- Prototype Pollution Vulnerability in noble Package to Node.js third-party modules - 4 upvotes, $0
- [lactate] Static Web Server Directory Traversal via Crafted GET Request to Node.js third-party modules - 3 upvotes, $0
- [augustine] Static Web Server Directory Traversal via Crafted GET Request to Node.js third-party modules - 3 upvotes, $0
- Prototype pollution attack (merge-deep) to Node.js third-party modules - 3 upvotes, $0
- Prototype pollution attack (defaults-deep) to Node.js third-party modules - 3 upvotes, $0
foreman
is vulnerable to ReDoS in path to Node.js third-party modules - 3 upvotes, $0npmconf
(andnpm
js api) allocate and write to disk uninitialized memory content when a typed number is passed as input on Node.js 4.x to Node.js third-party modules - 3 upvotes, $0- [sexstatic] HTML injection in directory name(s) leads to Stored XSS when malicious file is embed with <iframe> element used in directory name to Node.js third-party modules - 3 upvotes, $0
- Command injection in 'pdf-image' to Node.js third-party modules - 3 upvotes, $0
utile
allocates uninitialized Buffers when number is passed in input to Node.js third-party modules - 3 upvotes, $0- [file-static-server] Path Traversal allows to read content of arbitrary file on the server to Node.js third-party modules - 3 upvotes, $0
- Privilage escalation with malicious .npmrc to Node.js third-party modules - 3 upvotes, $0
- XSS in express-useragent through HTTP User-Agent to Node.js third-party modules - 3 upvotes, $0
- [m-server] HTML Injection in filenames displayed as directory listing in the browser allows to embed iframe with malicious JavaScript code to Node.js third-party modules - 3 upvotes, $0
- Prototype pollution attack in node.extend to Node.js third-party modules - 3 upvotes, $0
- [harp] File access even when they have been set to be ignored. to Node.js third-party modules - 3 upvotes, $0
- [harp] Path traversal using symlink to Node.js third-party modules - 3 upvotes, $0
- A specifically malformed MQTT Subscribe packet crashes MQTT Brokers using the mqtt-packet module for decoding to Node.js third-party modules - 3 upvotes, $0
- [min-http-server] Stored XSS in the filename when directories listing to Node.js third-party modules - 3 upvotes, $0
- environment variable leakage in error reporting to Node.js third-party modules - 3 upvotes, $0
- Command Injection in npm module name passed as an argument to pm2.install() function to Node.js third-party modules - 3 upvotes, $0
indexFile
option passed as an argument to node-server can lead to arbitrary file read to Node.js third-party modules - 3 upvotes, $0- [treekill] RCE via insecure command concatenation (only Windows) to Node.js third-party modules - 3 upvotes, $0
- Path traversal in https://www.npmjs.com/package/http_server via symlink to Node.js third-party modules - 3 upvotes, $0
rgb2hex
is vulnerable to ReDoS when parsing crafted invalid colors to Node.js third-party modules - 3 upvotes, $0- [open] concatenation of unsanitized input into exec() command to Node.js third-party modules - 3 upvotes, $0
- [meta-git] RCE via insecure command formatting to Node.js third-party modules - 3 upvotes, $0
- [npm-git-publish] RCE via insecure command formatting to Node.js third-party modules - 3 upvotes, $0
- [node-red] Stored XSS within Flow's - "Name" field to Node.js third-party modules - 3 upvotes, $0
- [yarn] yarn.lock integrity & hash check logic is broken to Node.js third-party modules - 3 upvotes, $0
- [windows-edge] RCE via insecure command formatting to Node.js third-party modules - 3 upvotes, $0
- [snekserve] Stored XSS via filenames HTML formatted to Node.js third-party modules - 3 upvotes, $0
- [gfc] Command Injection via insecure command formatting to Node.js third-party modules - 3 upvotes, $0
- [systeminformation] Command Injection via insecure command formatting to Node.js third-party modules - 3 upvotes, $0
- Prototype pollution attack (deap) to Node.js third-party modules - 2 upvotes, $0
- [cloudcmd] Stored XSS in the filename when directories listing to Node.js third-party modules - 2 upvotes, $0
concat-with-sourcemaps
allocates uninitialized Buffers when number is passed as a separator to Node.js third-party modules - 2 upvotes, $0stringstream
allocates uninitialized Buffers when number is passed in input stream on Node.js 4.x and below to Node.js third-party modules - 2 upvotes, $0fs-path
concatenates unsanitized input into exec()/execSync() commands to Node.js third-party modules - 2 upvotes, $0sql
does not properly escape parameters when building SQL queries, resulting in potential SQLi to Node.js third-party modules - 2 upvotes, $0- [serve] Directory listing and File access even when they have been set to be ignored (using dot-slash) to Node.js third-party modules - 2 upvotes, $0
- [buttle] HTML Injection in filename leads to XSS when directory listing is displayed in the browser to Node.js third-party modules - 2 upvotes, $0
- [m-server] Path Traversal allows to display content of arbitrary file(s) from the server to Node.js third-party modules - 2 upvotes, $0
- Prototype pollution attack (mergify) to Node.js third-party modules - 2 upvotes, $0
- [http-live-simulator] Path traversal vulnerability to Node.js third-party modules - 2 upvotes, $0
- Regular Expression Denial of Service (ReDoS) to Node.js third-party modules - 2 upvotes, $0
- Prototype pollution attack (smart-extend) to Node.js third-party modules - 2 upvotes, $0
useragent
is vulnerable to ReDoS in user-agent string to Node.js third-party modules - 2 upvotes, $0- [harp] Unsafe rendering of Markdown files to Node.js third-party modules - 2 upvotes, $0
- [public] Path traversal using symlink to Node.js third-party modules - 2 upvotes, $0
- [@azhou/basemodel] SQL injection to Node.js third-party modules - 2 upvotes, $0
- Filesystem Writes via
yarn install
via symlinks and tar transforms inside a crafted malicious package to Node.js third-party modules - 2 upvotes, $0 - [diskstats] Command Injection via insecure command concatenation to Node.js third-party modules - 2 upvotes, $0
- [is-my-json-valid] ReDoS via 'style' format to Node.js third-party modules - 2 upvotes, $0
- [static-server-gx] Path Traversal allowing to read any files on the server to Node.js third-party modules - 2 upvotes, $0
- [authmagic-timerange-stateless-core] Improper Authentication to Node.js third-party modules - 2 upvotes, $0
- [git-lib] RCE via insecure command formatting to Node.js third-party modules - 2 upvotes, $0
- [http_server] Path Traversal allowing to read any files on the server to Node.js third-party modules - 2 upvotes, $0
- [gity] RCE via insecure command formatting to Node.js third-party modules - 2 upvotes, $0
- [create-git] RCE via insecure command formatting to Node.js third-party modules - 2 upvotes, $0
- [node-downloader-helper] Path traversal via Content-Disposition header to Node.js third-party modules - 2 upvotes, $0
- [plain-object-merge] Prototype pollution to Node.js third-party modules - 2 upvotes, $0
- Prototype pollution attack (merge-recursive) to Node.js third-party modules - 1 upvotes, $0
- Prototype pollution attack (merge-options) to Node.js third-party modules - 1 upvotes, $0
- Prototype pollution attack (merge-objects) to Node.js third-party modules - 1 upvotes, $0
- Command Injection Vulnerability in win-fork/win-spawn Packages to Node.js third-party modules - 1 upvotes, $0
- Prototype Pollution Vulnerability in cached-path-relative Package to Node.js third-party modules - 1 upvotes, $0
- [statics-server] Path Traversal due to lack of provided path sanitization to Node.js third-party modules - 1 upvotes, $0
- [servey] Path Traversal allows to retrieve content of any file with extension from remote server to Node.js third-party modules - 1 upvotes, $0
- typeorm does not properly escape parameters when building SQL queries, resulting in potential SQLi to Node.js third-party modules - 1 upvotes, $0
- [file-browser] Inadequate Output Encoding and Escaping to Node.js third-party modules - 1 upvotes, $0
- [md-fileserver] Path Traversal to Node.js third-party modules - 1 upvotes, $0
- [deliver-or-else] Path Traversal to Node.js third-party modules - 1 upvotes, $0
- [increments] sql injection to Node.js third-party modules - 1 upvotes, $0
- Arbitrary code execution via untrusted schemas in ajv to Node.js third-party modules - 1 upvotes, $0
- [supermixer] Prototype pollution to Node.js third-party modules - 1 upvotes, $0
- [extra-asciinema] Command Injection via insecure command formatting to Node.js third-party modules - 1 upvotes, $0
- [meemo-app] Denial of Service via LDAP Injection to Node.js third-party modules - 1 upvotes, $0
- Prototype pollution attack (lodash) to Node.js third-party modules - 1 upvotes, $0
- [json-bigint] DoS via
__proto__
assignment to Node.js third-party modules - 1 upvotes, $0 - [bl] Uninitialized memory exposure via negative .consume() to Node.js third-party modules - 1 upvotes, $0
- [sirloin] Web Server Directory Traversal via Crafted GET Request to Node.js third-party modules - 1 upvotes, $0
- [hangersteak] Web Server Directory Traversal via Crafted GET Request to Node.js third-party modules - 1 upvotes, $0
- [keyd] Prototype pollution to Node.js third-party modules - 1 upvotes, $0
- [objtools] Prototype pollution to Node.js third-party modules - 1 upvotes, $0
- [http-live-simulator] Application-level DoS to Node.js third-party modules - 1 upvotes, $0
- [ts-dot-prop] Prototype Pollution to Node.js third-party modules - 1 upvotes, $0
- [expressjs-ip-control] Whitelist IP bypass leads to authorization bypass and sensitive info disclosure to Node.js third-party modules - 1 upvotes, $0
- [zenn-cli] Path traversal on Windows allows the attacker to read arbitrary .md files to Node.js third-party modules - 1 upvotes, $0
- [chart.js] Prototype pollution to Node.js third-party modules - 1 upvotes, $0
- [dy-server2] - stored Cross-Site Scripting to Node.js third-party modules - 1 upvotes, $0
- [curling] Remote Code Execution to Node.js third-party modules - 1 upvotes, $0
- npm packages that overlap with core node packages to Node.js third-party modules - 0 upvotes, $0
- Media parsing in canvas is at least vulnerable to Denial of Service through multiple vulnerabilities to Node.js third-party modules - 0 upvotes, $0
- Arbitrary file overwrites in
node-tar
to Node.js third-party modules - 0 upvotes, $0 - Command Injection vulnerability in kill-port-process package to Node.js third-party modules - 0 upvotes, $0
- [listening-processes] Command Injection to Node.js third-party modules - 0 upvotes, $0
- Crash Node.js process from handlebars using a small and simple source to Node.js third-party modules - 0 upvotes, $0
- [xps] Command Injection via insecure command concatenation to Node.js third-party modules - 0 upvotes, $0
- [vboxmanage.js] Command Injection via insecure command concatenation to Node.js third-party modules - 0 upvotes, $0
- [object-path-set] Prototype pollution to Node.js third-party modules - 0 upvotes, $0
- [extra-ffmpeg] Command Injection via insecure command formatting to Node.js third-party modules - 0 upvotes, $0
- [flsaba] Stored XSS in the file and directory name when directories listing to Node.js third-party modules - 0 upvotes, $0
- [commit-msg] RCE via insecure command formatting to Node.js third-party modules - 0 upvotes, $0
- [tianma-static] Security issue with XSS. to Node.js third-party modules - 0 upvotes, $0
- [@firebase/util] Prototype pollution to Node.js third-party modules - 0 upvotes, $0
- [imagickal] Remote Code Execution to Node.js third-party modules - 0 upvotes, $0