Skip to content

Latest commit

 

History

History
309 lines (308 loc) · 46.1 KB

TOPNODEJSTHIRDPARTYMODULES.md

File metadata and controls

309 lines (308 loc) · 46.1 KB
Raw

Top reports from Node.js third-party modules program at HackerOne:

  1. [http_server] Stored XSS in the filename when directories listing to Node.js third-party modules - 61 upvotes, $0
  2. Server-Side Request Forgery (SSRF) in Ghost CMS to Node.js third-party modules - 39 upvotes, $0
  3. property-expr - Prototype pollution to Node.js third-party modules - 33 upvotes, $0
  4. Fastify denial-of-service vulnerability with large JSON payloads to Node.js third-party modules - 25 upvotes, $500
  5. Pixel flood attack cause the javascript heap out of memory to Node.js third-party modules - 25 upvotes, $0
  6. [Uppy] Internal Server side request forgery (bypass of #786956) to Node.js third-party modules - 22 upvotes, $0
  7. [socket.io] Cross-Site Websocket Hijacking to Node.js third-party modules - 22 upvotes, $0
  8. [takeapeek] XSS via HTML tag injection in directory lisiting page to Node.js third-party modules - 21 upvotes, $0
  9. Server Side Request Forgery in Uppy npm module to Node.js third-party modules - 20 upvotes, $0
  10. [glance] Access unlisted internal files/folders revealing sensitive information to Node.js third-party modules - 19 upvotes, $0
  11. [seeftl] Stored XSS when directory listing via filename. to Node.js third-party modules - 19 upvotes, $0
  12. bunyan - RCE via insecure command formatting to Node.js third-party modules - 17 upvotes, $0
  13. Prototype pollution attack (lodash) to Node.js third-party modules - 16 upvotes, $250
  14. [buttle] Unsafe rendering of Markdown files to Node.js third-party modules - 16 upvotes, $0
  15. [Total.js] Path traversal vulnerability allows to read files outside public directory to Node.js third-party modules - 16 upvotes, $0
  16. [serve] Directory listing and File access even when they have been set to be ignored. to Node.js third-party modules - 15 upvotes, $0
  17. [pdfinfojs] Command Injection on filename parameter to Node.js third-party modules - 15 upvotes, $0
  18. List any file in the folder by using path traversal to Node.js third-party modules - 15 upvotes, $0
  19. [bower] Arbitrary File Write through improper validation of symlinks while package extraction to Node.js third-party modules - 15 upvotes, $0
  20. Reflected XSS in the npm module express-cart. to Node.js third-party modules - 15 upvotes, $0
  21. [typeorm] SQL Injection to Node.js third-party modules - 15 upvotes, $0
  22. Several simple remote code execution in pdf-image to Node.js third-party modules - 15 upvotes, $0
  23. [logkitty] RCE via insecure command formatting to Node.js third-party modules - 15 upvotes, $0
  24. Prototype pollution attack (lodash / constructor.prototype) to Node.js third-party modules - 14 upvotes, $200
  25. [ascii-art] Command injection to Node.js third-party modules - 14 upvotes, $0
  26. [untitled-model] sql injection to Node.js third-party modules - 14 upvotes, $0
  27. [tree-kill] RCE via insecure command concatenation (only Windows) to Node.js third-party modules - 14 upvotes, $0
  28. [query-mysql] SQL Injection due to lack of user input sanitization allows to run arbitrary SQL queries when fetching data from database to Node.js third-party modules - 13 upvotes, $0
  29. Code Injection Vulnerability in morgan Package to Node.js third-party modules - 13 upvotes, $0
  30. flatmap-stream malicious package (distributed via the popular events-stream) to Node.js third-party modules - 13 upvotes, $0
  31. [serve] Access unlisted internal files/folders revealing sensitive information to Node.js third-party modules - 13 upvotes, $0
  32. OS Command Injection on Jison [all-parser-ports] to Node.js third-party modules - 13 upvotes, $0
  33. [nested-property] Prototype Pollution to Node.js third-party modules - 13 upvotes, $0
  34. [hekto] Path Traversal vulnerability allows to read content of arbitrary files to Node.js third-party modules - 12 upvotes, $0
  35. [htmr] DOM-based XSS to Node.js third-party modules - 12 upvotes, $0
  36. [m-server] XSS reflected because path does not escapeHtml to Node.js third-party modules - 12 upvotes, $0
  37. [html-pages] Path Traversal in html-pages module allows to read any file from the server with curl to Node.js third-party modules - 11 upvotes, $0
  38. Unrestricted file upload (RCE) to Node.js third-party modules - 11 upvotes, $0
  39. [buttle] Path traversal in mid-buttle module allows to read any file in the server. to Node.js third-party modules - 11 upvotes, $0
  40. memjs allocates and stores buffers on typed input, resulting in DoS and uninitialized memory usage to Node.js third-party modules - 11 upvotes, $0
  41. Privilege escalation allows any user to add an administrator to Node.js third-party modules - 11 upvotes, $0
  42. [simplehttpserver] List any file in the folder by using path traversal. to Node.js third-party modules - 11 upvotes, $0
  43. Application level denial of service due to shutting down the server to Node.js third-party modules - 11 upvotes, $0
  44. [fileview] Inadequate Output Encoding and Escaping to Node.js third-party modules - 11 upvotes, $0
  45. Denial Of Service in Strapi Framework using argument injection to Node.js third-party modules - 11 upvotes, $0
  46. [devcert] Command Injection via insecure command formatting to Node.js third-party modules - 11 upvotes, $0
  47. Server Side JavaScript Code Injection to Node.js third-party modules - 10 upvotes, $250
  48. [serve] Directory index of arbitrary folder available due to lack of sanitization of %2e and %2f characters in url to Node.js third-party modules - 10 upvotes, $0
  49. Prototype pollution attack (lodash) to Node.js third-party modules - 10 upvotes, $0
  50. protobufjs is vulnerable to ReDoS when parsing crafted invalid *.proto files to Node.js third-party modules - 10 upvotes, $0
  51. [hekto] open redirect when target domain name is used as html filename on server to Node.js third-party modules - 10 upvotes, $0
  52. [flintcms] Account takeover due to blind MongoDB injection in password reset to Node.js third-party modules - 10 upvotes, $0
  53. [samsung-remote] Command injection to Node.js third-party modules - 10 upvotes, $0
  54. Command Injection Vulnerability in kill-port Package to Node.js third-party modules - 10 upvotes, $0
  55. [http-file-server] Stored XSS in the filename when directories listing to Node.js third-party modules - 10 upvotes, $0
  56. [html-janitor] Bypassing sanitization using DOM clobbering to Node.js third-party modules - 9 upvotes, $0
  57. [localhost-now] Path Traversal allows to read content of arbitrary file to Node.js third-party modules - 9 upvotes, $0
  58. [general-file-server] Path Traversal vulnerability allows to read content on arbitrary file on the server to Node.js third-party modules - 9 upvotes, $0
  59. whereis concatenates unsanitized input into exec() command to Node.js third-party modules - 9 upvotes, $0
  60. [statics-server] XSS via injected iframe in file name when statics-server displays directory index in the browser to Node.js third-party modules - 9 upvotes, $0
  61. Prototype pollution attack (merge.recursive) to Node.js third-party modules - 9 upvotes, $0
  62. Command Injection Vulnerability in libnmap Package to Node.js third-party modules - 9 upvotes, $0
  63. [apex-publish-static-files] Command Injection on connectString to Node.js third-party modules - 9 upvotes, $0
  64. [webpack-bundle-analyzer] Cross-site Scripting to Node.js third-party modules - 9 upvotes, $0
  65. [express-laravel-passport] Improper Authentication to Node.js third-party modules - 9 upvotes, $0
  66. Stored XSS (Hexo-admin plugin) to Node.js third-party modules - 9 upvotes, $0
  67. Prototype pollution in dot-prop to Node.js third-party modules - 9 upvotes, $0
  68. Prototype pollution in multipart parsing to Node.js third-party modules - 9 upvotes, $0
  69. [i18next] Prototype pollution attack to Node.js third-party modules - 9 upvotes, $0
  70. Prototype Pollution lodash 4.17.15 to Node.js third-party modules - 8 upvotes, $250
  71. [simplehttpserver] Stored XSS in file names leads to malicious JavaScript code execution when directory listing is output in HTML to Node.js third-party modules - 8 upvotes, $0
  72. [bracket-template] Reflected XSS possible when variable passed via GET parameter is used in template to Node.js third-party modules - 8 upvotes, $0
  73. [markdown-pdf] Local file reading to Node.js third-party modules - 8 upvotes, $0
  74. url-parse package return wrong hostname to Node.js third-party modules - 8 upvotes, $0
  75. Command Injection is ps Package to Node.js third-party modules - 8 upvotes, $0
  76. [knightjs] Path Traversal allows to read content of arbitrary files to Node.js third-party modules - 8 upvotes, $0
  77. Remote code executio in NPM package getcookies to Node.js third-party modules - 8 upvotes, $0
  78. [serve-here.js] List any file in the folder by using path traversal. to Node.js third-party modules - 8 upvotes, $0
  79. Yarn transfers npm credentials over unencrypted http connection to Node.js third-party modules - 8 upvotes, $0
  80. gitlabhook OS Command Injection to Node.js third-party modules - 8 upvotes, $0
  81. Path traversal using symlink to Node.js third-party modules - 8 upvotes, $0
  82. [atlasboard-atlassian-package] Cross-site Scripting (XSS) to Node.js third-party modules - 8 upvotes, $0
  83. [jsreport] Remote Code Execution to Node.js third-party modules - 8 upvotes, $0
  84. [min-http-server] List any file in the folder by using path traversal. to Node.js third-party modules - 8 upvotes, $0
  85. Default behavior of Fastifys versioned routes can be used for cache poisoning when Fastify is used in combination with a http cache / CDN to Node.js third-party modules - 8 upvotes, $0
  86. [wireguard-wrapper] Command Injection via insecure command concatenation to Node.js third-party modules - 8 upvotes, $0
  87. Path Traversal on Resolve-Path to Node.js third-party modules - 7 upvotes, $0
  88. [angular-http-server] Path Traversal in angular-http-server.js allows to read arbitrary file from the remote server to Node.js third-party modules - 7 upvotes, $0
  89. [glance] Path Traversal in glance static file server allows to read content of arbitrary file to Node.js third-party modules - 7 upvotes, $0
  90. [stattic] Inproper path validation leads to Path Traversal and allows to read arbitrary files with any extension(s) to Node.js third-party modules - 7 upvotes, $0
  91. [metascraper] Stored XSS in Open Graph meta properties read by metascrapper to Node.js third-party modules - 7 upvotes, $0
  92. [crud-file-server] Path Traversal allows to read arbitrary file from the server to Node.js third-party modules - 7 upvotes, $0
  93. http-proxy-agent passes unsanitized options to Buffer(arg), resulting in DoS and uninitialized memory leak to Node.js third-party modules - 7 upvotes, $0
  94. Remote Command Execution vulnerability in pullit to Node.js third-party modules - 7 upvotes, $0
  95. Insecure implementation of deserialization in cryo to Node.js third-party modules - 7 upvotes, $0
  96. Stored XSS in Node-Red to Node.js third-party modules - 7 upvotes, $0
  97. [egg-scripts] Command injection to Node.js third-party modules - 7 upvotes, $0
  98. Prototype pollution attack (defaults-deep / constructor.prototype) to Node.js third-party modules - 7 upvotes, $0
  99. Samlify is vulnerable to signature wrapping to Node.js third-party modules - 7 upvotes, $0
  100. Prototype pollution attack through jQuery $.extend to Node.js third-party modules - 7 upvotes, $0
  101. [http-file-server] List any files and sub folders in the folder by using path traversal. to Node.js third-party modules - 7 upvotes, $0
  102. [klona] Prototype pollution to Node.js third-party modules - 7 upvotes, $0
  103. [blamer] RCE via insecure command formatting to Node.js third-party modules - 7 upvotes, $0
  104. [git-promise] RCE via insecure command formatting to Node.js third-party modules - 7 upvotes, $0
  105. [cloudron-surfer] Denial of Service via LDAP Injection to Node.js third-party modules - 7 upvotes, $0
  106. [@knutkirkhorn/free-space] - Command Injection through Lack of Sanitization to Node.js third-party modules - 7 upvotes, $0
  107. [626] Path Traversal allows to read arbitrary file from remote server to Node.js third-party modules - 6 upvotes, $0
  108. [anywhere] An iframe element with url to malicious HTML file (with eg. JavaScript malware) can be used as filename and served via anywhere to Node.js third-party modules - 6 upvotes, $0
  109. [uppy] Stored XSS due to crafted SVG file to Node.js third-party modules - 6 upvotes, $0
  110. [simple-server] HTML with iframe element can be used as filename, which might lead to load and execute malicious JavaScript to Node.js third-party modules - 6 upvotes, $0
  111. [node-srv] Path Traversal allows to read arbitrary files from remote server to Node.js third-party modules - 6 upvotes, $0
  112. https-proxy-agent passes unsanitized options to Buffer(arg), resulting in DoS and uninitialized memory leak to Node.js third-party modules - 6 upvotes, $0
  113. [mcstatic] Path Traversal allows to read content of arbitrary files to Node.js third-party modules - 6 upvotes, $0
  114. command-exists concatenates unsanitized input into exec()/execSync() commands to Node.js third-party modules - 6 upvotes, $0
  115. [mcstatic] Server Directory Traversal to Node.js third-party modules - 6 upvotes, $0
  116. Insecure implementation of deserialization in funcster to Node.js third-party modules - 6 upvotes, $0
  117. [serve] Server Directory Traversal to Node.js third-party modules - 6 upvotes, $0
  118. Arbitrary File Write Through Archive Extraction to Node.js third-party modules - 6 upvotes, $0
  119. [express-cart] Customer and admin email enumeration through MongoDB injection to Node.js third-party modules - 6 upvotes, $0
  120. [takeapeek] Path traversal allow to expose directory and files to Node.js third-party modules - 6 upvotes, $0
  121. [tianma-static] Stored xss on filename to Node.js third-party modules - 6 upvotes, $0
  122. Prototype pollution attack (lutils-merge) to Node.js third-party modules - 6 upvotes, $0
  123. [static-resource-server] Path Traversal allows to read content of arbitrary file on the server to Node.js third-party modules - 6 upvotes, $0
  124. [domokeeper] Unintended Require to Node.js third-party modules - 6 upvotes, $0
  125. [larvitbase-api] Unintended Require to Node.js third-party modules - 6 upvotes, $0
  126. [larvitbase-www] Unintended Require to Node.js third-party modules - 6 upvotes, $0
  127. Lodash "difference" (possibly others) Function Denial of Service Through Unvalidated Input to Node.js third-party modules - 6 upvotes, $0
  128. [url-parse] Improper Validation and Sanitization to Node.js third-party modules - 6 upvotes, $0
  129. [reveal.js] XSS by calling arbitrary method via postMessage to Node.js third-party modules - 6 upvotes, $0
  130. SQL Injection or Denial of Service due to a Prototype Pollution to Node.js third-party modules - 6 upvotes, $0
  131. Arbitrary code execution via untrusted schemas in is-my-json-valid to Node.js third-party modules - 6 upvotes, $0
  132. [wappalyzer] ReDoS allows an attacker to completely break Wappalyzer to Node.js third-party modules - 6 upvotes, $0
  133. [notevil] - Sandbox Escape Lead to RCE on Node.js and XSS in the Browser to Node.js third-party modules - 6 upvotes, $0
  134. [freespace] Command Injection due to Lack of Sanitization to Node.js third-party modules - 6 upvotes, $0
  135. [last-commit-log] Command Injection to Node.js third-party modules - 6 upvotes, $0
  136. Bypass of SSRF Vulnerability to Node.js third-party modules - 6 upvotes, $0
  137. [html-janitor] Passing user-controlled data to clean() leads to XSS to Node.js third-party modules - 5 upvotes, $0
  138. sshpk is vulnerable to ReDoS when parsing crafted invalid public keys to Node.js third-party modules - 5 upvotes, $0
  139. atob allocates uninitialized Buffers when number is passed in input on Node.js 4.x and below to Node.js third-party modules - 5 upvotes, $0
  140. [public] Stored XSS in filenames in directory served by public to Node.js third-party modules - 5 upvotes, $0
  141. superstatic is vulnerable to path traversal on Windows to Node.js third-party modules - 5 upvotes, $0
  142. macaddress concatenates unsanitized input into exec() command to Node.js third-party modules - 5 upvotes, $0
  143. base64-url below 2.0 allocates uninitialized Buffers when number is passed in input to Node.js third-party modules - 5 upvotes, $0
  144. The react-marked-markdown module allows XSS injection in href values. to Node.js third-party modules - 5 upvotes, $0
  145. [serve] Directory listing and File access even when they have been set to be ignored to Node.js third-party modules - 5 upvotes, $0
  146. [public] Stored XSS in the filename when directories listing to Node.js third-party modules - 5 upvotes, $0
  147. [html-pages] Stored XSS in the filename when directories listing to Node.js third-party modules - 5 upvotes, $0
  148. njwt allocates uninitialized Buffers when number is passed in base64urlEncode input to Node.js third-party modules - 5 upvotes, $0
  149. [git-dummy-commit] Command injection on the msg parameter to Node.js third-party modules - 5 upvotes, $0
  150. [bruteser] Path Traversal allows to read content of arbitrary file to Node.js third-party modules - 5 upvotes, $0
  151. [entitlements] Command injection on the 'path' parameter to Node.js third-party modules - 5 upvotes, $0
  152. stored xss in scrape-metadata when reading metadata from an html page to Node.js third-party modules - 5 upvotes, $0
  153. Arbitrary File Write through archive extraction to Node.js third-party modules - 5 upvotes, $0
  154. Prototype pollution attack (extend) to Node.js third-party modules - 5 upvotes, $0
  155. http-live-simulator npm module is prone to path traversal attacks to Node.js third-party modules - 5 upvotes, $0
  156. Prototype Pollution Vulnerability in mpath Package to Node.js third-party modules - 5 upvotes, $0
  157. [statichttpserver] List any file in the folder by using path traversal. to Node.js third-party modules - 5 upvotes, $0
  158. [node-df] RCE via insecure command concatenation to Node.js third-party modules - 5 upvotes, $0
  159. Lack of input validation and sanitization in react-autolinker-wrapper library causes XSS to Node.js third-party modules - 5 upvotes, $0
  160. [script-manager] Unintended require to Node.js third-party modules - 5 upvotes, $0
  161. [extend-merge] Prototype pollution to Node.js third-party modules - 5 upvotes, $0
  162. [json8-merge-patch] Prototype Pollution to Node.js third-party modules - 5 upvotes, $0
  163. [arpping] Remote Code Execution to Node.js third-party modules - 5 upvotes, $0
  164. Server-side Template Injection in lodash.js to Node.js third-party modules - 5 upvotes, $0
  165. Fastify uses allErrors: true ajv configuration by default which is susceptible to DoS to Node.js third-party modules - 4 upvotes, $250
  166. [serve-here] Static Web Server Directory Traversal via Crafted GET Request to Node.js third-party modules - 4 upvotes, $0
  167. [featurebook] Specification Server Directory Traversal via Crafted Browser Request to Node.js third-party modules - 4 upvotes, $0
  168. [redis-commander] Reflected SWF XSS via vulnerable "clipboard.swf" component to Node.js third-party modules - 4 upvotes, $0
  169. Prototype pollution attack (Hoek) to Node.js third-party modules - 4 upvotes, $0
  170. Prototype pollution attack (mixin-deep) to Node.js third-party modules - 4 upvotes, $0
  171. Prototype pollution attack (assign-deep) to Node.js third-party modules - 4 upvotes, $0
  172. [public] Path Traversal allows to read content of arbitrary files to Node.js third-party modules - 4 upvotes, $0
  173. [crud-file-server] Stored XSS in filenames when directory index is served by crud-file-server to Node.js third-party modules - 4 upvotes, $0
  174. [glance] Stored XSS via file name allows to run arbitrary JavaScript when directory listing is displayed in browser to Node.js third-party modules - 4 upvotes, $0
  175. Prototype pollution attack (deep-extend) to Node.js third-party modules - 4 upvotes, $0
  176. [angular-http-server] Server Directory Traversal to Node.js third-party modules - 4 upvotes, $0
  177. Bypass to defective fix of Path Traversal to Node.js third-party modules - 4 upvotes, $0
  178. [buttle] Remote Command Execution via unsanitized PHP filename when it's run with --php-bin flag to Node.js third-party modules - 4 upvotes, $0
  179. base64url allocates uninitialized Buffers when number is passed in input on Node.js 4.x and below to Node.js third-party modules - 4 upvotes, $0
  180. byte allocates uninitialized buffers and reads data from them past the initialized length to Node.js third-party modules - 4 upvotes, $0
  181. [localhost-now] bypassing url filter which leads to read content of arbitrary file to Node.js third-party modules - 4 upvotes, $0
  182. put allocates uninitialized Buffers when non-round numbers are passed in input to Node.js third-party modules - 4 upvotes, $0
  183. [ponse] Path traversal in ponse module allows to read any file on server to Node.js third-party modules - 4 upvotes, $0
  184. [exceljs] Possible XSS via cell value when worksheet is displayed in browser to Node.js third-party modules - 4 upvotes, $0
  185. [serve] XSS via HTML tag injection in directory lisiting page to Node.js third-party modules - 4 upvotes, $0
  186. [serve] Stored XSS in the filename when directories listing to Node.js third-party modules - 4 upvotes, $0
  187. Prototype pollution attack in just-extend to Node.js third-party modules - 4 upvotes, $0
  188. Prototype pollution attack (upmerge) to Node.js third-party modules - 4 upvotes, $0
  189. Code Injection Vulnerability in dot Package to Node.js third-party modules - 4 upvotes, $0
  190. XSS in Bootbox to Node.js third-party modules - 4 upvotes, $0
  191. [https-proxy-agent] Socket returned without TLS upgrade on non-200 CONNECT response, allowing request data to be sent over unencrypted connection to Node.js third-party modules - 4 upvotes, $0
  192. Trojan:JS/CoinMiner in npm files to Node.js third-party modules - 4 upvotes, $0
  193. Command Injection due to lack of sanitisation of tar.gz filename passed as an argument to pm2.install() function to Node.js third-party modules - 4 upvotes, $0
  194. [utils-extend] Prototype pollution to Node.js third-party modules - 4 upvotes, $0
  195. [Limited bypass of #793704] Blind SSRF in Ghost CMS to Node.js third-party modules - 4 upvotes, $0
  196. [crypto-js] Insecure entropy source - Math.random() to Node.js third-party modules - 4 upvotes, $0
  197. [wappalyzer] ReDoS allows an attacker to completely break Wappalyzer to Node.js third-party modules - 4 upvotes, $0
  198. [sapper] Path Traversal to Node.js third-party modules - 4 upvotes, $0
  199. [express-cart] Wide CSRF in application to Node.js third-party modules - 4 upvotes, $0
  200. [hnzserver] Path Traversal allowing to read any files on the server to Node.js third-party modules - 4 upvotes, $0
  201. Prototype Pollution Vulnerability in noble Package to Node.js third-party modules - 4 upvotes, $0
  202. [lactate] Static Web Server Directory Traversal via Crafted GET Request to Node.js third-party modules - 3 upvotes, $0
  203. [augustine] Static Web Server Directory Traversal via Crafted GET Request to Node.js third-party modules - 3 upvotes, $0
  204. Prototype pollution attack (merge-deep) to Node.js third-party modules - 3 upvotes, $0
  205. Prototype pollution attack (defaults-deep) to Node.js third-party modules - 3 upvotes, $0
  206. npmconf (and npm js api) allocate and write to disk uninitialized memory content when a typed number is passed as input on Node.js 4.x to Node.js third-party modules - 3 upvotes, $0
  207. [sexstatic] HTML injection in directory name(s) leads to Stored XSS when malicious file is embed with <iframe> element used in directory name to Node.js third-party modules - 3 upvotes, $0
  208. Command injection in 'pdf-image' to Node.js third-party modules - 3 upvotes, $0
  209. utile allocates uninitialized Buffers when number is passed in input to Node.js third-party modules - 3 upvotes, $0
  210. [file-static-server] Path Traversal allows to read content of arbitrary file on the server to Node.js third-party modules - 3 upvotes, $0
  211. Privilage escalation with malicious .npmrc to Node.js third-party modules - 3 upvotes, $0
  212. XSS in express-useragent through HTTP User-Agent to Node.js third-party modules - 3 upvotes, $0
  213. [m-server] HTML Injection in filenames displayed as directory listing in the browser allows to embed iframe with malicious JavaScript code to Node.js third-party modules - 3 upvotes, $0
  214. Prototype pollution attack in node.extend to Node.js third-party modules - 3 upvotes, $0
  215. [harp] File access even when they have been set to be ignored. to Node.js third-party modules - 3 upvotes, $0
  216. [harp] Path traversal using symlink to Node.js third-party modules - 3 upvotes, $0
  217. A specifically malformed MQTT Subscribe packet crashes MQTT Brokers using the mqtt-packet module for decoding to Node.js third-party modules - 3 upvotes, $0
  218. [min-http-server] Stored XSS in the filename when directories listing to Node.js third-party modules - 3 upvotes, $0
  219. environment variable leakage in error reporting to Node.js third-party modules - 3 upvotes, $0
  220. Command Injection in npm module name passed as an argument to pm2.install() function to Node.js third-party modules - 3 upvotes, $0
  221. indexFile option passed as an argument to node-server can lead to arbitrary file read to Node.js third-party modules - 3 upvotes, $0
  222. [treekill] RCE via insecure command concatenation (only Windows) to Node.js third-party modules - 3 upvotes, $0
  223. Path traversal in https://www.npmjs.com/package/http_server via symlink to Node.js third-party modules - 3 upvotes, $0
  224. rgb2hex is vulnerable to ReDoS when parsing crafted invalid colors to Node.js third-party modules - 3 upvotes, $0
  225. [open] concatenation of unsanitized input into exec() command to Node.js third-party modules - 3 upvotes, $0
  226. [meta-git] RCE via insecure command formatting to Node.js third-party modules - 3 upvotes, $0
  227. [npm-git-publish] RCE via insecure command formatting to Node.js third-party modules - 3 upvotes, $0
  228. [node-red] Stored XSS within Flow's - "Name" field to Node.js third-party modules - 3 upvotes, $0
  229. [yarn] yarn.lock integrity & hash check logic is broken to Node.js third-party modules - 3 upvotes, $0
  230. [windows-edge] RCE via insecure command formatting to Node.js third-party modules - 3 upvotes, $0
  231. [snekserve] Stored XSS via filenames HTML formatted to Node.js third-party modules - 3 upvotes, $0
  232. [gfc] Command Injection via insecure command formatting to Node.js third-party modules - 3 upvotes, $0
  233. [systeminformation] Command Injection via insecure command formatting to Node.js third-party modules - 3 upvotes, $0
  234. Prototype pollution attack (deap) to Node.js third-party modules - 2 upvotes, $0
  235. [cloudcmd] Stored XSS in the filename when directories listing to Node.js third-party modules - 2 upvotes, $0
  236. concat-with-sourcemaps allocates uninitialized Buffers when number is passed as a separator to Node.js third-party modules - 2 upvotes, $0
  237. foreman is vulnerable to ReDoS in path to Node.js third-party modules - 2 upvotes, $0
  238. stringstream allocates uninitialized Buffers when number is passed in input stream on Node.js 4.x and below to Node.js third-party modules - 2 upvotes, $0
  239. fs-path concatenates unsanitized input into exec()/execSync() commands to Node.js third-party modules - 2 upvotes, $0
  240. sql does not properly escape parameters when building SQL queries, resulting in potential SQLi to Node.js third-party modules - 2 upvotes, $0
  241. [serve] Directory listing and File access even when they have been set to be ignored (using dot-slash) to Node.js third-party modules - 2 upvotes, $0
  242. [buttle] HTML Injection in filename leads to XSS when directory listing is displayed in the browser to Node.js third-party modules - 2 upvotes, $0
  243. [m-server] Path Traversal allows to display content of arbitrary file(s) from the server to Node.js third-party modules - 2 upvotes, $0
  244. Prototype pollution attack (mergify) to Node.js third-party modules - 2 upvotes, $0
  245. [http-live-simulator] Path traversal vulnerability to Node.js third-party modules - 2 upvotes, $0
  246. Regular Expression Denial of Service (ReDoS) to Node.js third-party modules - 2 upvotes, $0
  247. Prototype pollution attack (smart-extend) to Node.js third-party modules - 2 upvotes, $0
  248. useragent is vulnerable to ReDoS in user-agent string to Node.js third-party modules - 2 upvotes, $0
  249. [harp] Unsafe rendering of Markdown files to Node.js third-party modules - 2 upvotes, $0
  250. [public] Path traversal using symlink to Node.js third-party modules - 2 upvotes, $0
  251. [@azhou/basemodel] SQL injection to Node.js third-party modules - 2 upvotes, $0
  252. Filesystem Writes via yarn install via symlinks and tar transforms inside a crafted malicious package to Node.js third-party modules - 2 upvotes, $0
  253. [diskstats] Command Injection via insecure command concatenation to Node.js third-party modules - 2 upvotes, $0
  254. [is-my-json-valid] ReDoS via 'style' format to Node.js third-party modules - 2 upvotes, $0
  255. [static-server-gx] Path Traversal allowing to read any files on the server to Node.js third-party modules - 2 upvotes, $0
  256. [authmagic-timerange-stateless-core] Improper Authentication to Node.js third-party modules - 2 upvotes, $0
  257. [git-lib] RCE via insecure command formatting to Node.js third-party modules - 2 upvotes, $0
  258. [http_server] Path Traversal allowing to read any files on the server to Node.js third-party modules - 2 upvotes, $0
  259. [gity] RCE via insecure command formatting to Node.js third-party modules - 2 upvotes, $0
  260. [create-git] RCE via insecure command formatting to Node.js third-party modules - 2 upvotes, $0
  261. [node-downloader-helper] Path traversal via Content-Disposition header to Node.js third-party modules - 2 upvotes, $0
  262. [plain-object-merge] Prototype pollution to Node.js third-party modules - 2 upvotes, $0
  263. Prototype pollution attack (merge-recursive) to Node.js third-party modules - 1 upvotes, $0
  264. Prototype pollution attack (merge-options) to Node.js third-party modules - 1 upvotes, $0
  265. Prototype pollution attack (merge-objects) to Node.js third-party modules - 1 upvotes, $0
  266. Command Injection Vulnerability in win-fork/win-spawn Packages to Node.js third-party modules - 1 upvotes, $0
  267. Prototype Pollution Vulnerability in cached-path-relative Package to Node.js third-party modules - 1 upvotes, $0
  268. [statics-server] Path Traversal due to lack of provided path sanitization to Node.js third-party modules - 1 upvotes, $0
  269. [servey] Path Traversal allows to retrieve content of any file with extension from remote server to Node.js third-party modules - 1 upvotes, $0
  270. typeorm does not properly escape parameters when building SQL queries, resulting in potential SQLi to Node.js third-party modules - 1 upvotes, $0
  271. [file-browser] Inadequate Output Encoding and Escaping to Node.js third-party modules - 1 upvotes, $0
  272. [md-fileserver] Path Traversal to Node.js third-party modules - 1 upvotes, $0
  273. [deliver-or-else] Path Traversal to Node.js third-party modules - 1 upvotes, $0
  274. [increments] sql injection to Node.js third-party modules - 1 upvotes, $0
  275. Arbitrary code execution via untrusted schemas in ajv to Node.js third-party modules - 1 upvotes, $0
  276. [meemo-app] Denial of Service via LDAP Injection to Node.js third-party modules - 1 upvotes, $0
  277. Prototype pollution attack (lodash) to Node.js third-party modules - 1 upvotes, $0
  278. [json-bigint] DoS via __proto__ assignment to Node.js third-party modules - 1 upvotes, $0
  279. [bl] Uninitialized memory exposure via negative .consume() to Node.js third-party modules - 1 upvotes, $0
  280. [sirloin] Web Server Directory Traversal via Crafted GET Request to Node.js third-party modules - 1 upvotes, $0
  281. [hangersteak] Web Server Directory Traversal via Crafted GET Request to Node.js third-party modules - 1 upvotes, $0
  282. [keyd] Prototype pollution to Node.js third-party modules - 1 upvotes, $0
  283. [objtools] Prototype pollution to Node.js third-party modules - 1 upvotes, $0
  284. [http-live-simulator] Application-level DoS to Node.js third-party modules - 1 upvotes, $0
  285. [ts-dot-prop] Prototype Pollution to Node.js third-party modules - 1 upvotes, $0
  286. [expressjs-ip-control] Whitelist IP bypass leads to authorization bypass and sensitive info disclosure to Node.js third-party modules - 1 upvotes, $0
  287. [zenn-cli] Path traversal on Windows allows the attacker to read arbitrary .md files to Node.js third-party modules - 1 upvotes, $0
  288. [chart.js] Prototype pollution to Node.js third-party modules - 1 upvotes, $0
  289. [dy-server2] - stored Cross-Site Scripting to Node.js third-party modules - 1 upvotes, $0
  290. [curling] Remote Code Execution to Node.js third-party modules - 1 upvotes, $0
  291. npm packages that overlap with core node packages to Node.js third-party modules - 0 upvotes, $0
  292. Media parsing in canvas is at least vulnerable to Denial of Service through multiple vulnerabilities to Node.js third-party modules - 0 upvotes, $0
  293. Arbitrary file overwrites in node-tar to Node.js third-party modules - 0 upvotes, $0
  294. Command Injection vulnerability in kill-port-process package to Node.js third-party modules - 0 upvotes, $0
  295. [listening-processes] Command Injection to Node.js third-party modules - 0 upvotes, $0
  296. Crash Node.js process from handlebars using a small and simple source to Node.js third-party modules - 0 upvotes, $0
  297. [xps] Command Injection via insecure command concatenation to Node.js third-party modules - 0 upvotes, $0
  298. [vboxmanage.js] Command Injection via insecure command concatenation to Node.js third-party modules - 0 upvotes, $0
  299. [object-path-set] Prototype pollution to Node.js third-party modules - 0 upvotes, $0
  300. [extra-ffmpeg] Command Injection via insecure command formatting to Node.js third-party modules - 0 upvotes, $0
  301. [supermixer] Prototype pollution to Node.js third-party modules - 0 upvotes, $0
  302. [extra-asciinema] Command Injection via insecure command formatting to Node.js third-party modules - 0 upvotes, $0
  303. [flsaba] Stored XSS in the file and directory name when directories listing to Node.js third-party modules - 0 upvotes, $0
  304. [commit-msg] RCE via insecure command formatting to Node.js third-party modules - 0 upvotes, $0
  305. [tianma-static] Security issue with XSS. to Node.js third-party modules - 0 upvotes, $0
  306. [@firebase/util] Prototype pollution to Node.js third-party modules - 0 upvotes, $0
  307. [imagickal] Remote Code Execution to Node.js third-party modules - 0 upvotes, $0