Node.js third-party modules - HackerOne Reports
View on HackerOne307
Total Reports
58
Critical
116
High
94
Medium
34
Low
Command Injection Vulnerability in win-fork/win-spawn Packages
Reported by:
cris_semmle
|
Disclosed:
High
Weakness: Command Injection - Generic
Prototype Pollution Vulnerability in cached-path-relative Package
Reported by:
cris_semmle
|
Disclosed:
High
Weakness: Uncontrolled Resource Consumption
`indexFile` option passed as an argument to node-server can lead to arbitrary file read
Reported by:
bl4de
|
Disclosed:
Low
Weakness: Path Traversal
[notevil] - Sandbox Escape Lead to RCE on Node.js and XSS in the Browser
Reported by:
phra
|
Disclosed:
High
Weakness: Code Injection
Crash Node.js process from handlebars using a small and simple source
Reported by:
macasun
|
Disclosed:
Medium
Weakness: Uncontrolled Resource Consumption
Several simple remote code execution in pdf-image
Reported by:
gabriel-kimiaie
|
Disclosed:
Critical
Weakness: Code Injection
flatmap-stream malicious package (distributed via the popular events-stream)
Reported by:
danny_grander
|
Disclosed:
Critical
Weakness: Embedded Malicious Code
`macaddress` concatenates unsanitized input into exec() command
Reported by:
chalker
|
Disclosed:
Critical
Weakness: Command Injection - Generic
`https-proxy-agent` passes unsanitized options to Buffer(arg), resulting in DoS and uninitialized memory leak
Reported by:
chalker
|
Disclosed:
High
Weakness: Uncontrolled Resource Consumption
`npmconf` (and `npm` js api) allocate and write to disk uninitialized memory content when a typed number is passed as input on Node.js 4.x
Reported by:
chalker
|
Disclosed:
High
Weakness: Out-of-bounds Read
Regular Expression Denial of Service (ReDoS)
Reported by:
danny_grander
|
Disclosed:
Medium
Weakness: Uncontrolled Resource Consumption
[m-server] Path Traversal allows to display content of arbitrary file(s) from the server
Reported by:
bl4de
|
Disclosed:
Medium
Weakness: Path Traversal
url-parse package return wrong hostname
Reported by:
leetboi
|
Disclosed:
High
Weakness: Open Redirect
[html-janitor] Passing user-controlled data to clean() leads to XSS
Reported by:
bayotop
|
Disclosed:
Critical
Weakness: Cross-site Scripting (XSS) - DOM
[serve] Directory listing and File access even when they have been set to be ignored.
Reported by:
0xchr00t
|
Disclosed:
Critical
Weakness: Information Exposure Through Directory Listing
[bracket-template] Reflected XSS possible when variable passed via GET parameter is used in template
Reported by:
bl4de
|
Disclosed:
High
Weakness: Cross-site Scripting (XSS) - Reflected
[buttle] Remote Command Execution via unsanitized PHP filename when it's run with --php-bin flag
Reported by:
bl4de
|
Disclosed:
Critical
Weakness: OS Command Injection
[create-git] RCE via insecure command formatting
Reported by:
mik317
|
Disclosed:
Critical
Weakness: Code Injection
[git-lib] RCE via insecure command formatting
Reported by:
mik317
|
Disclosed:
Medium
Weakness: Code Injection
[crud-file-server] Stored XSS in filenames when directory index is served by crud-file-server
Reported by:
bl4de
|
Disclosed:
Critical
Weakness: Cross-site Scripting (XSS) - Stored