Monthly Archive: June 2018

The module pandora-doomsday infects other modules. It’s since been unpublished from the registry. Date published : 2018-06-06 https://nodesecurity.io/advisories/482

The module botbait is a tool to be used to track bot and automated tools usage with-in the npm ecosystem. botbait is known to record and track user information. The module tracks the following...

rtcmulticonnection-client is a signaling implementation for RTCMultiConnection.js, a multi-session manager. rtcmulticonnection-client is vulnerable to a directory traversal issue, giving an attacker access to the filesystem by placing "../" in the url. Date published :...

node-server-forfront is a simple static file server. node-server-forfront is vulnerable to a directory traversal issue, giving an attacker access to the filesystem by placing "../" in the url. Date published : 2018-06-06 https://github.com/JacksonGL/NPM-Vuln-PoC/tree/master/directory-traversal/node-server-forfront https://nodesecurity.io/advisories/382

welcomyzt is a simple file server. welcomyzt is vulnerable to a directory traversal issue, giving an attacker access to the filesystem by placing "../" in the url. Date published : 2018-06-06 https://github.com/JacksonGL/NPM-Vuln-PoC/blob/master/directory-traversal/pooledwebsocket https://nodesecurity.io/advisories/388

cuciuci is a simple fileserver. cuciuci is vulnerable to a directory traversal issue, giving an attacker access to the filesystem by placing "../" in the url. Date published : 2018-06-06 https://github.com/JacksonGL/NPM-Vuln-PoC/tree/master/directory-traversal/cuciuci https://nodesecurity.io/advisories/381

datachannel-client is a signaling implementation for DataChannel.js. datachannel-client is vulnerable to a directory traversal issue, giving an attacker access to the filesystem by placing "../" in the url. Date published : 2018-06-06 https://github.com/JacksonGL/NPM-Vuln-PoC/tree/master/directory-traversal/datachannel-client https://nodesecurity.io/advisories/391

liyujing is a static file server. liyujing is vulnerable to a directory traversal issue, giving an attacker access to the filesystem by placing "../" in the url. Date published : 2018-06-06 https://github.com/JacksonGL/NPM-Vuln-PoC/tree/master/directory-traversal/liyujing https://nodesecurity.io/advisories/387

Fresh is a module used by the Express.js framework for HTTP response freshness testing. It is vulnerable to a regular expression denial of service when it is passed specially crafted input to parse. This...

The forwarded module is used by the Express.js framework to handle the X-Forwarded-For header. It is vulnerable to a regular expression denial of service when it’s passed specially crafted input to parse. This causes...

slug is a module to slugify strings, even if they contain unicode. slug is vulnerable to regular expression denial of service is specially crafted untrusted input is passed as input. About 50k characters can...

The string module is a module that provides extra string operations. The string module is vulnerable to regular expression denial of service when specifically crafted untrusted user input is passed into the underscore or...

The timespan module is vulnerable to regular expression denial of service. Given 50k characters of untrusted user input it will block the event loop for around 10 seconds. Date published : 2018-06-06 https://github.com/indexzero/TimeSpan.js/issues/10 https://nodesecurity.io/advisories/533

The marked module is vulnerable to a regular expression denial of service. Based on the information published in the public issue, 1k characters can block for around 6 seconds. Date published : 2018-06-06 https://github.com/chjj/marked/issues/937...