Monthly Archive: June 2018

charset 1.0.0 and below are vulnerable to regular expression denial of service. Input of around 50k characters is required for a slow down of around 2 seconds. Unless node was compiled using the -DHTTP_MAX_HEADER_SIZE=...

tiny-http is a simple http server. tiny-http is vulnerable to a directory traversal issue, giving an attacker access to the filesystem by placing "../" in the url. Date published : 2018-06-06 https://github.com/JacksonGL/NPM-Vuln-PoC/blob/master/directory-traversal/tiny-http https://nodesecurity.io/advisories/342

serveryaozeyan is a simple HTTP server. serveryaozeyan is vulnerable to a directory traversal issue, giving an attacker access to the filesystem by placing "../" in the URL. Date published : 2018-06-06 https://github.com/JacksonGL/NPM-Vuln-PoC/tree/master/directory-traversal/serveryaozeyan https://nodesecurity.io/advisories/355

serverliujiayi1 is a simple http server. serverliujiayi1 is vulnerable to a directory traversal issue, giving an attacker access to the filesystem by placing "../" in the URL. Date published : 2018-06-06 https://github.com/JacksonGL/NPM-Vuln-PoC/tree/master/directory-traversal/serverliujiayi1 https://nodesecurity.io/advisories/367

iter-http is a server for static files. iter-http is vulnerable to a directory traversal issue, giving an attacker access to the filesystem by placing "../" in the url. Date published : 2018-06-06 https://github.com/JacksonGL/NPM-Vuln-PoC/blob/master/directory-traversal/iter-http https://nodesecurity.io/advisories/343

cyber-js is a simple http server. A cyberjs server is vulnerable to a directory traversal issue, giving an attacker access to the filesystem by placing "../" in the url. Date published : 2018-06-06 https://github.com/JacksonGL/NPM-Vuln-PoC/tree/master/directory-traversal/cyber-js...

Sencisho is a simple http server for local development. Sencisho is vulnerable to a directory traversal issue, giving an attacker access to the filesystem by placing "../" in the URL. Date published : 2018-06-06...

xtalk helps your browser talk to nodex, a simple web framework. xtalk is vulnerable to a directory traversal issue, giving an attacker access to the filesystem by placing "../" in the URL. Date published...

fsk-server is a simple http server. fsk-server is vulnerable to a directory traversal issue, giving an attacker access to the filesystem by placing "../" in the url. Date published : 2018-06-06 https://github.com/JacksonGL/NPM-Vuln-PoC/tree/master/directory-traversal/fsk-server https://nodesecurity.io/advisories/345

serverlyr is a simple http server. serverlyr is vulnerable to a directory traversal issue, giving an attacker access to the filesystem by placing "../" in the URL. Date published : 2018-06-06 https://github.com/JacksonGL/NPM-Vuln-PoC/tree/master/directory-traversal/serverlyr https://nodesecurity.io/advisories/365

The safe-eval module describes itself as a safer version of eval. By accessing the object constructors, un-sanitized user input can access the entire standard library and effectively break out of the sandbox. Date published...

ua-parser is a port of Browserscope’s user agent parser. ua-parser is vulnerable to a ReDoS (Regular Expression Denial of Service) attack when given a specially crafted UserAgent header. Date published : 2018-06-06 https://nodesecurity.io/advisories/316

tinyserver2 is a webserver for static files. tinyserver2 is vulnerable to a directory traversal issue, giving an attacker access to the filesystem by placing "../" in the URL. Date published : 2018-06-06 https://github.com/JacksonGL/NPM-Vuln-PoC/tree/master/directory-traversal/tinyserver2 https://nodesecurity.io/advisories/371

list-n-stream is a server for static files to list and stream local videos. list-n-stream v0.0.10 or lower is vulnerable to a directory traversal issue, giving an attacker access to the filesystem by placing "../"...