Skip to content

Latest commit

 

History

History
245 lines (241 loc) · 36.3 KB

TOPNODEJSTHIRDPARTYMODULES.md

File metadata and controls

245 lines (241 loc) · 36.3 KB

Back

Top reports from Node.js third-party modules program at HackerOne:

  1. [http_server] Stored XSS in the filename when directories listing to Node.js third-party modules - 60 upvotes, $0
  2. Server-Side Request Forgery (SSRF) in Ghost CMS to Node.js third-party modules - 28 upvotes, $0
  3. Fastify denial-of-service vulnerability with large JSON payloads to Node.js third-party modules - 25 upvotes, $500
  4. Fastify denial-of-service vulnerability with large JSON payloads to Node.js third-party modules - 25 upvotes, $500
  5. Pixel flood attack cause the javascript heap out of memory to Node.js third-party modules - 24 upvotes, $0
  6. [takeapeek] XSS via HTML tag injection in directory lisiting page to Node.js third-party modules - 21 upvotes, $0
  7. Server Side Request Forgery in Uppy npm module to Node.js third-party modules - 20 upvotes, $0
  8. [glance] Access unlisted internal files/folders revealing sensitive information to Node.js third-party modules - 19 upvotes, $0
  9. [seeftl] Stored XSS when directory listing via filename. to Node.js third-party modules - 18 upvotes, $0
  10. [buttle] Unsafe rendering of Markdown files to Node.js third-party modules - 16 upvotes, $0
  11. [serve] Directory listing and File access even when they have been set to be ignored. to Node.js third-party modules - 15 upvotes, $0
  12. List any file in the folder by using path traversal to Node.js third-party modules - 15 upvotes, $0
  13. [bower] Arbitrary File Write through improper validation of symlinks while package extraction to Node.js third-party modules - 15 upvotes, $0
  14. [typeorm] SQL Injection to Node.js third-party modules - 15 upvotes, $0
  15. [Total.js] Path traversal vulnerability allows to read files outside public directory to Node.js third-party modules - 15 upvotes, $0
  16. Prototype pollution attack (lodash / constructor.prototype) to Node.js third-party modules - 14 upvotes, $200
  17. Prototype pollution attack (lodash / constructor.prototype) to Node.js third-party modules - 14 upvotes, $200
  18. [pdfinfojs] Command Injection on filename parameter to Node.js third-party modules - 14 upvotes, $0
  19. [ascii-art] Command injection to Node.js third-party modules - 14 upvotes, $0
  20. Reflected XSS in the npm module express-cart. to Node.js third-party modules - 14 upvotes, $0
  21. [untitled-model] sql injection to Node.js third-party modules - 14 upvotes, $0
  22. [tree-kill] RCE via insecure command concatenation (only Windows) to Node.js third-party modules - 14 upvotes, $0
  23. Several simple remote code execution in pdf-image to Node.js third-party modules - 14 upvotes, $0
  24. [query-mysql] SQL Injection due to lack of user input sanitization allows to run arbitrary SQL queries when fetching data from database to Node.js third-party modules - 13 upvotes, $0
  25. Code Injection Vulnerability in morgan Package to Node.js third-party modules - 13 upvotes, $0
  26. [serve] Access unlisted internal files/folders revealing sensitive information to Node.js third-party modules - 13 upvotes, $0
  27. [logkitty] RCE via insecure command formatting to Node.js third-party modules - 13 upvotes, $0
  28. [hekto] Path Traversal vulnerability allows to read content of arbitrary files to Node.js third-party modules - 12 upvotes, $0
  29. flatmap-stream malicious package (distributed via the popular events-stream) to Node.js third-party modules - 12 upvotes, $0
  30. [html-pages] Path Traversal in html-pages module allows to read any file from the server with curl to Node.js third-party modules - 11 upvotes, $0
  31. [buttle] Path traversal in mid-buttle module allows to read any file in the server. to Node.js third-party modules - 11 upvotes, $0
  32. memjs allocates and stores buffers on typed input, resulting in DoS and uninitialized memory usage to Node.js third-party modules - 11 upvotes, $0
  33. [simplehttpserver] List any file in the folder by using path traversal. to Node.js third-party modules - 11 upvotes, $0
  34. [fileview] Inadequate Output Encoding and Escaping to Node.js third-party modules - 11 upvotes, $0
  35. [htmr] DOM-based XSS to Node.js third-party modules - 11 upvotes, $0
  36. OS Command Injection on Jison [all-parser-ports] to Node.js third-party modules - 11 upvotes, $0
  37. Prototype pollution attack (lodash) to Node.js third-party modules - 10 upvotes, $250
  38. [serve] Directory index of arbitrary folder available due to lack of sanitization of %2e and %2f characters in url to Node.js third-party modules - 10 upvotes, $0
  39. Prototype pollution attack (lodash) to Node.js third-party modules - 10 upvotes, $0
  40. protobufjs is vulnerable to ReDoS when parsing crafted invalid *.proto files to Node.js third-party modules - 10 upvotes, $0
  41. Unrestricted file upload (RCE) to Node.js third-party modules - 10 upvotes, $0
  42. [flintcms] Account takeover due to blind MongoDB injection in password reset to Node.js third-party modules - 10 upvotes, $0
  43. Command Injection Vulnerability in kill-port Package to Node.js third-party modules - 10 upvotes, $0
  44. [http-file-server] Stored XSS in the filename when directories listing to Node.js third-party modules - 10 upvotes, $0
  45. Application level denial of service due to shutting down the server to Node.js third-party modules - 10 upvotes, $0
  46. Server Side JavaScript Code Injection to Node.js third-party modules - 9 upvotes, $250
  47. Server Side JavaScript Code Injection to Node.js third-party modules - 9 upvotes, $250
  48. [localhost-now] Path Traversal allows to read content of arbitrary file to Node.js third-party modules - 9 upvotes, $0
  49. [general-file-server] Path Traversal vulnerability allows to read content on arbitrary file on the server to Node.js third-party modules - 9 upvotes, $0
  50. whereis concatenates unsanitized input into exec() command to Node.js third-party modules - 9 upvotes, $0
  51. [hekto] open redirect when target domain name is used as html filename on server to Node.js third-party modules - 9 upvotes, $0
  52. Privilege escalation allows any user to add an administrator to Node.js third-party modules - 9 upvotes, $0
  53. [samsung-remote] Command injection to Node.js third-party modules - 9 upvotes, $0
  54. Command Injection Vulnerability in libnmap Package to Node.js third-party modules - 9 upvotes, $0
  55. Stored XSS (Hexo-admin plugin) to Node.js third-party modules - 9 upvotes, $0
  56. Prototype pollution in multipart parsing to Node.js third-party modules - 9 upvotes, $0
  57. [html-janitor] Bypassing sanitization using DOM clobbering to Node.js third-party modules - 8 upvotes, $0
  58. [simplehttpserver] Stored XSS in file names leads to malicious JavaScript code execution when directory listing is output in HTML to Node.js third-party modules - 8 upvotes, $0
  59. [bracket-template] Reflected XSS possible when variable passed via GET parameter is used in template to Node.js third-party modules - 8 upvotes, $0
  60. [statics-server] XSS via injected iframe in file name when statics-server displays directory index in the browser to Node.js third-party modules - 8 upvotes, $0
  61. [markdown-pdf] Local file reading to Node.js third-party modules - 8 upvotes, $0
  62. Prototype pollution attack (merge.recursive) to Node.js third-party modules - 8 upvotes, $0
  63. [apex-publish-static-files] Command Injection on connectString to Node.js third-party modules - 8 upvotes, $0
  64. [knightjs] Path Traversal allows to read content of arbitrary files to Node.js third-party modules - 8 upvotes, $0
  65. Remote code executio in NPM package getcookies to Node.js third-party modules - 8 upvotes, $0
  66. Yarn transfers npm credentials over unencrypted http connection to Node.js third-party modules - 8 upvotes, $0
  67. Path traversal using symlink to Node.js third-party modules - 8 upvotes, $0
  68. [webpack-bundle-analyzer] Cross-site Scripting to Node.js third-party modules - 8 upvotes, $0
  69. [express-laravel-passport] Improper Authentication to Node.js third-party modules - 8 upvotes, $0
  70. Prototype pollution in dot-prop to Node.js third-party modules - 8 upvotes, $0
  71. Path Traversal on Resolve-Path to Node.js third-party modules - 7 upvotes, $0
  72. [angular-http-server] Path Traversal in angular-http-server.js allows to read arbitrary file from the remote server to Node.js third-party modules - 7 upvotes, $0
  73. [glance] Path Traversal in glance static file server allows to read content of arbitrary file to Node.js third-party modules - 7 upvotes, $0
  74. [stattic] Inproper path validation leads to Path Traversal and allows to read arbitrary files with any extension(s) to Node.js third-party modules - 7 upvotes, $0
  75. [metascraper] Stored XSS in Open Graph meta properties read by metascrapper to Node.js third-party modules - 7 upvotes, $0
  76. [crud-file-server] Path Traversal allows to read arbitrary file from the server to Node.js third-party modules - 7 upvotes, $0
  77. http-proxy-agent passes unsanitized options to Buffer(arg), resulting in DoS and uninitialized memory leak to Node.js third-party modules - 7 upvotes, $0
  78. Insecure implementation of deserialization in cryo to Node.js third-party modules - 7 upvotes, $0
  79. Stored XSS in Node-Red to Node.js third-party modules - 7 upvotes, $0
  80. url-parse package return wrong hostname to Node.js third-party modules - 7 upvotes, $0
  81. [egg-scripts] Command injection to Node.js third-party modules - 7 upvotes, $0
  82. Command Injection is ps Package to Node.js third-party modules - 7 upvotes, $0
  83. Prototype pollution attack (defaults-deep / constructor.prototype) to Node.js third-party modules - 7 upvotes, $0
  84. [serve-here.js] List any file in the folder by using path traversal. to Node.js third-party modules - 7 upvotes, $0
  85. [http-file-server] List any files and sub folders in the folder by using path traversal. to Node.js third-party modules - 7 upvotes, $0
  86. gitlabhook OS Command Injection to Node.js third-party modules - 7 upvotes, $0
  87. [atlasboard-atlassian-package] Cross-site Scripting (XSS) to Node.js third-party modules - 7 upvotes, $0
  88. [klona] Prototype pollution to Node.js third-party modules - 7 upvotes, $0
  89. Denial Of Service in Strapi Framework using argument injection to Node.js third-party modules - 7 upvotes, $0
  90. [blamer] RCE via insecure command formatting to Node.js third-party modules - 7 upvotes, $0
  91. [git-promise] RCE via insecure command formatting to Node.js third-party modules - 7 upvotes, $0
  92. [626] Path Traversal allows to read arbitrary file from remote server to Node.js third-party modules - 6 upvotes, $0
  93. [anywhere] An iframe element with url to malicious HTML file (with eg. JavaScript malware) can be used as filename and served via anywhere to Node.js third-party modules - 6 upvotes, $0
  94. [uppy] Stored XSS due to crafted SVG file to Node.js third-party modules - 6 upvotes, $0
  95. [simple-server] HTML with iframe element can be used as filename, which might lead to load and execute malicious JavaScript to Node.js third-party modules - 6 upvotes, $0
  96. [node-srv] Path Traversal allows to read arbitrary files from remote server to Node.js third-party modules - 6 upvotes, $0
  97. https-proxy-agent passes unsanitized options to Buffer(arg), resulting in DoS and uninitialized memory leak to Node.js third-party modules - 6 upvotes, $0
  98. command-exists concatenates unsanitized input into exec()/execSync() commands to Node.js third-party modules - 6 upvotes, $0
  99. [mcstatic] Server Directory Traversal to Node.js third-party modules - 6 upvotes, $0
  100. Remote Command Execution vulnerability in pullit to Node.js third-party modules - 6 upvotes, $0
  101. Insecure implementation of deserialization in funcster to Node.js third-party modules - 6 upvotes, $0
  102. [serve] Server Directory Traversal to Node.js third-party modules - 6 upvotes, $0
  103. [express-cart] Customer and admin email enumeration through MongoDB injection to Node.js third-party modules - 6 upvotes, $0
  104. Samlify is vulnerable to signature wrapping to Node.js third-party modules - 6 upvotes, $0
  105. [takeapeek] Path traversal allow to expose directory and files to Node.js third-party modules - 6 upvotes, $0
  106. Prototype pollution attack (lutils-merge) to Node.js third-party modules - 6 upvotes, $0
  107. [domokeeper] Unintended Require to Node.js third-party modules - 6 upvotes, $0
  108. Lodash "difference" (possibly others) Function Denial of Service Through Unvalidated Input to Node.js third-party modules - 6 upvotes, $0
  109. [url-parse] Improper Validation and Sanitization to Node.js third-party modules - 6 upvotes, $0
  110. sshpk is vulnerable to ReDoS when parsing crafted invalid public keys to Node.js third-party modules - 5 upvotes, $0
  111. atob allocates uninitialized Buffers when number is passed in input on Node.js 4.x and below to Node.js third-party modules - 5 upvotes, $0
  112. [public] Stored XSS in filenames in directory served by public to Node.js third-party modules - 5 upvotes, $0
  113. [mcstatic] Path Traversal allows to read content of arbitrary files to Node.js third-party modules - 5 upvotes, $0
  114. superstatic is vulnerable to path traversal on Windows to Node.js third-party modules - 5 upvotes, $0
  115. macaddress concatenates unsanitized input into exec() command to Node.js third-party modules - 5 upvotes, $0
  116. base64-url below 2.0 allocates uninitialized Buffers when number is passed in input to Node.js third-party modules - 5 upvotes, $0
  117. [serve] Directory listing and File access even when they have been set to be ignored to Node.js third-party modules - 5 upvotes, $0
  118. [public] Stored XSS in the filename when directories listing to Node.js third-party modules - 5 upvotes, $0
  119. [html-pages] Stored XSS in the filename when directories listing to Node.js third-party modules - 5 upvotes, $0
  120. [bruteser] Path Traversal allows to read content of arbitrary file to Node.js third-party modules - 5 upvotes, $0
  121. [entitlements] Command injection on the 'path' parameter to Node.js third-party modules - 5 upvotes, $0
  122. stored xss in scrape-metadata when reading metadata from an html page to Node.js third-party modules - 5 upvotes, $0
  123. Arbitrary File Write Through Archive Extraction to Node.js third-party modules - 5 upvotes, $0
  124. Arbitrary File Write through archive extraction to Node.js third-party modules - 5 upvotes, $0
  125. Prototype pollution attack (extend) to Node.js third-party modules - 5 upvotes, $0
  126. http-live-simulator npm module is prone to path traversal attacks to Node.js third-party modules - 5 upvotes, $0
  127. [tianma-static] Stored xss on filename to Node.js third-party modules - 5 upvotes, $0
  128. Prototype Pollution Vulnerability in mpath Package to Node.js third-party modules - 5 upvotes, $0
  129. [static-resource-server] Path Traversal allows to read content of arbitrary file on the server to Node.js third-party modules - 5 upvotes, $0
  130. Prototype pollution attack through jQuery $.extend to Node.js third-party modules - 5 upvotes, $0
  131. [statichttpserver] List any file in the folder by using path traversal. to Node.js third-party modules - 5 upvotes, $0
  132. [larvitbase-www] Unintended Require to Node.js third-party modules - 5 upvotes, $0
  133. [node-df] RCE via insecure command concatenation to Node.js third-party modules - 5 upvotes, $0
  134. Lack of input validation and sanitization in react-autolinker-wrapper library causes XSS to Node.js third-party modules - 5 upvotes, $0
  135. [jsreport] Remote Code Execution to Node.js third-party modules - 5 upvotes, $0
  136. [serve-here] Static Web Server Directory Traversal via Crafted GET Request to Node.js third-party modules - 4 upvotes, $0
  137. [featurebook] Specification Server Directory Traversal via Crafted Browser Request to Node.js third-party modules - 4 upvotes, $0
  138. [redis-commander] Reflected SWF XSS via vulnerable "clipboard.swf" component to Node.js third-party modules - 4 upvotes, $0
  139. [html-janitor] Passing user-controlled data to clean() leads to XSS to Node.js third-party modules - 4 upvotes, $0
  140. Prototype pollution attack (Hoek) to Node.js third-party modules - 4 upvotes, $0
  141. [public] Path Traversal allows to read content of arbitrary files to Node.js third-party modules - 4 upvotes, $0
  142. [crud-file-server] Stored XSS in filenames when directory index is served by crud-file-server to Node.js third-party modules - 4 upvotes, $0
  143. [glance] Stored XSS via file name allows to run arbitrary JavaScript when directory listing is displayed in browser to Node.js third-party modules - 4 upvotes, $0
  144. [angular-http-server] Server Directory Traversal to Node.js third-party modules - 4 upvotes, $0
  145. [buttle] Remote Command Execution via unsanitized PHP filename when it's run with --php-bin flag to Node.js third-party modules - 4 upvotes, $0
  146. base64url allocates uninitialized Buffers when number is passed in input on Node.js 4.x and below to Node.js third-party modules - 4 upvotes, $0
  147. byte allocates uninitialized buffers and reads data from them past the initialized length to Node.js third-party modules - 4 upvotes, $0
  148. The react-marked-markdown module allows XSS injection in href values. to Node.js third-party modules - 4 upvotes, $0
  149. [localhost-now] bypassing url filter which leads to read content of arbitrary file to Node.js third-party modules - 4 upvotes, $0
  150. put allocates uninitialized Buffers when non-round numbers are passed in input to Node.js third-party modules - 4 upvotes, $0
  151. njwt allocates uninitialized Buffers when number is passed in base64urlEncode input to Node.js third-party modules - 4 upvotes, $0
  152. [git-dummy-commit] Command injection on the msg parameter to Node.js third-party modules - 4 upvotes, $0
  153. [ponse] Path traversal in ponse module allows to read any file on server to Node.js third-party modules - 4 upvotes, $0
  154. [serve] Stored XSS in the filename when directories listing to Node.js third-party modules - 4 upvotes, $0
  155. Prototype pollution attack (upmerge) to Node.js third-party modules - 4 upvotes, $0
  156. Code Injection Vulnerability in dot Package to Node.js third-party modules - 4 upvotes, $0
  157. XSS in Bootbox to Node.js third-party modules - 4 upvotes, $0
  158. [larvitbase-api] Unintended Require to Node.js third-party modules - 4 upvotes, $0
  159. [https-proxy-agent] Socket returned without TLS upgrade on non-200 CONNECT response, allowing request data to be sent over unencrypted connection to Node.js third-party modules - 4 upvotes, $0
  160. Trojan:JS/CoinMiner in npm files to Node.js third-party modules - 4 upvotes, $0
  161. Command Injection due to lack of sanitisation of tar.gz filename passed as an argument to pm2.install() function to Node.js third-party modules - 4 upvotes, $0
  162. [script-manager] Unintended require to Node.js third-party modules - 4 upvotes, $0
  163. [reveal.js] XSS by calling arbitrary method via postMessage to Node.js third-party modules - 4 upvotes, $0
  164. [lactate] Static Web Server Directory Traversal via Crafted GET Request to Node.js third-party modules - 3 upvotes, $0
  165. [augustine] Static Web Server Directory Traversal via Crafted GET Request to Node.js third-party modules - 3 upvotes, $0
  166. Prototype pollution attack (mixin-deep) to Node.js third-party modules - 3 upvotes, $0
  167. Prototype pollution attack (assign-deep) to Node.js third-party modules - 3 upvotes, $0
  168. Prototype pollution attack (merge-deep) to Node.js third-party modules - 3 upvotes, $0
  169. Prototype pollution attack (defaults-deep) to Node.js third-party modules - 3 upvotes, $0
  170. Prototype pollution attack (deep-extend) to Node.js third-party modules - 3 upvotes, $0
  171. Bypass to defective fix of Path Traversal to Node.js third-party modules - 3 upvotes, $0
  172. npmconf (and npm js api) allocate and write to disk uninitialized memory content when a typed number is passed as input on Node.js 4.x to Node.js third-party modules - 3 upvotes, $0
  173. [sexstatic] HTML injection in directory name(s) leads to Stored XSS when malicious file is embed with <iframe> element used in directory name to Node.js third-party modules - 3 upvotes, $0
  174. Command injection in 'pdf-image' to Node.js third-party modules - 3 upvotes, $0
  175. utile allocates uninitialized Buffers when number is passed in input to Node.js third-party modules - 3 upvotes, $0
  176. [file-static-server] Path Traversal allows to read content of arbitrary file on the server to Node.js third-party modules - 3 upvotes, $0
  177. Privilage escalation with malicious .npmrc to Node.js third-party modules - 3 upvotes, $0
  178. [m-server] HTML Injection in filenames displayed as directory listing in the browser allows to embed iframe with malicious JavaScript code to Node.js third-party modules - 3 upvotes, $0
  179. [exceljs] Possible XSS via cell value when worksheet is displayed in browser to Node.js third-party modules - 3 upvotes, $0
  180. [serve] XSS via HTML tag injection in directory lisiting page to Node.js third-party modules - 3 upvotes, $0
  181. Prototype pollution attack in just-extend to Node.js third-party modules - 3 upvotes, $0
  182. Prototype pollution attack in node.extend to Node.js third-party modules - 3 upvotes, $0
  183. [harp] File access even when they have been set to be ignored. to Node.js third-party modules - 3 upvotes, $0
  184. [harp] Path traversal using symlink to Node.js third-party modules - 3 upvotes, $0
  185. A specifically malformed MQTT Subscribe packet crashes MQTT Brokers using the mqtt-packet module for decoding to Node.js third-party modules - 3 upvotes, $0
  186. [min-http-server] Stored XSS in the filename when directories listing to Node.js third-party modules - 3 upvotes, $0
  187. Command Injection in npm module name passed as an argument to pm2.install() function to Node.js third-party modules - 3 upvotes, $0
  188. indexFile option passed as an argument to node-server can lead to arbitrary file read to Node.js third-party modules - 3 upvotes, $0
  189. [treekill] RCE via insecure command concatenation (only Windows) to Node.js third-party modules - 3 upvotes, $0
  190. Path traversal in https://www.npmjs.com/package/http_server via symlink to Node.js third-party modules - 3 upvotes, $0
  191. rgb2hex is vulnerable to ReDoS when parsing crafted invalid colors to Node.js third-party modules - 3 upvotes, $0
  192. open concatenates unsanitized input into exec() command to Node.js third-party modules - 3 upvotes, $0
  193. [npm-git-publish] RCE via insecure command formatting to Node.js third-party modules - 3 upvotes, $0
  194. [node-red] Stored XSS within Flow's - "Name" field to Node.js third-party modules - 3 upvotes, $0
  195. [yarn] yarn.lock integrity & hash check logic is broken to Node.js third-party modules - 3 upvotes, $0
  196. [utils-extend] Prototype pollution to Node.js third-party modules - 3 upvotes, $0
  197. Prototype pollution attack (deap) to Node.js third-party modules - 2 upvotes, $0
  198. [cloudcmd] Stored XSS in the filename when directories listing to Node.js third-party modules - 2 upvotes, $0
  199. concat-with-sourcemaps allocates uninitialized Buffers when number is passed as a separator to Node.js third-party modules - 2 upvotes, $0
  200. foreman is vulnerable to ReDoS in path to Node.js third-party modules - 2 upvotes, $0
  201. stringstream allocates uninitialized Buffers when number is passed in input stream on Node.js 4.x and below to Node.js third-party modules - 2 upvotes, $0
  202. sql does not properly escape parameters when building SQL queries, resulting in potential SQLi to Node.js third-party modules - 2 upvotes, $0
  203. [serve] Directory listing and File access even when they have been set to be ignored (using dot-slash) to Node.js third-party modules - 2 upvotes, $0
  204. [buttle] HTML Injection in filename leads to XSS when directory listing is displayed in the browser to Node.js third-party modules - 2 upvotes, $0
  205. XSS in express-useragent through HTTP User-Agent to Node.js third-party modules - 2 upvotes, $0
  206. [m-server] Path Traversal allows to display content of arbitrary file(s) from the server to Node.js third-party modules - 2 upvotes, $0
  207. Prototype pollution attack (mergify) to Node.js third-party modules - 2 upvotes, $0
  208. Regular Expression Denial of Service (ReDoS) to Node.js third-party modules - 2 upvotes, $0
  209. useragent is vulnerable to ReDoS in user-agent string to Node.js third-party modules - 2 upvotes, $0
  210. [harp] Unsafe rendering of Markdown files to Node.js third-party modules - 2 upvotes, $0
  211. [public] Path traversal using symlink to Node.js third-party modules - 2 upvotes, $0
  212. environment variable leakage in error reporting to Node.js third-party modules - 2 upvotes, $0
  213. [meta-git] RCE via insecure command formatting to Node.js third-party modules - 2 upvotes, $0
  214. [@azhou/basemodel] SQL injection to Node.js third-party modules - 2 upvotes, $0
  215. Filesystem Writes via yarn install via symlinks and tar transforms inside a crafted malicious package to Node.js third-party modules - 2 upvotes, $0
  216. [Limited bypass of #793704] Blind SSRF in Ghost CMS to Node.js third-party modules - 2 upvotes, $0
  217. [crypto-js] Insecure entropy source - Math.random() to Node.js third-party modules - 2 upvotes, $0
  218. Prototype pollution attack (merge-recursive) to Node.js third-party modules - 1 upvotes, $0
  219. Prototype pollution attack (merge-options) to Node.js third-party modules - 1 upvotes, $0
  220. Prototype pollution attack (merge-objects) to Node.js third-party modules - 1 upvotes, $0
  221. fs-path concatenates unsanitized input into exec()/execSync() commands to Node.js third-party modules - 1 upvotes, $0
  222. Command Injection Vulnerability in win-fork/win-spawn Packages to Node.js third-party modules - 1 upvotes, $0
  223. Prototype Pollution Vulnerability in cached-path-relative Package to Node.js third-party modules - 1 upvotes, $0
  224. [http-live-simulator] Path traversal vulnerability to Node.js third-party modules - 1 upvotes, $0
  225. [statics-server] Path Traversal due to lack of provided path sanitization to Node.js third-party modules - 1 upvotes, $0
  226. [servey] Path Traversal allows to retrieve content of any file with extension from remote server to Node.js third-party modules - 1 upvotes, $0
  227. Prototype pollution attack (smart-extend) to Node.js third-party modules - 1 upvotes, $0
  228. typeorm does not properly escape parameters when building SQL queries, resulting in potential SQLi to Node.js third-party modules - 1 upvotes, $0
  229. [file-browser] Inadequate Output Encoding and Escaping to Node.js third-party modules - 1 upvotes, $0
  230. [md-fileserver] Path Traversal to Node.js third-party modules - 1 upvotes, $0
  231. [deliver-or-else] Path Traversal to Node.js third-party modules - 1 upvotes, $0
  232. [increments] sql injection to Node.js third-party modules - 1 upvotes, $0
  233. npm packages that overlap with core node packages to Node.js third-party modules - 0 upvotes, $0
  234. Media parsing in canvas is at least vulnerable to Denial of Service through multiple vulnerabilities to Node.js third-party modules - 0 upvotes, $0
  235. Arbitrary file overwrites in node-tar to Node.js third-party modules - 0 upvotes, $0
  236. Command Injection vulnerability in kill-port-process package to Node.js third-party modules - 0 upvotes, $0
  237. [listening-processes] Command Injection to Node.js third-party modules - 0 upvotes, $0
  238. Crash Node.js process from handlebars using a small and simple source to Node.js third-party modules - 0 upvotes, $0

Back