Vulnerabilities

section2.madisonjbrooks12 is a simple web server. section2.madisonjbrooks12 is vulnerable to a directory traversal issue, giving an attacker access to the filesystem by placing "../" in the url.

mssql.js was a malicious module published with the intent to hijack environment variables. It has been unpublished by npm.

rtcmulticonnection-client is a signaling implementation for RTCMultiConnection.js, a multi-session manager. rtcmulticonnection-client is vulnerable to a directory traversal issue, giving an attacker access to the filesystem by placing "../" in the url.

dns-sync is a sync/blocking dns resolver. If untrusted user input is allowed into the resolve() method then command injection is possible.

aegir is a module to help automate JavaScript project management. Version 12.0.0 through and including 12.0.7 bundled and published to npm the user (that performed a aegir-release) GitHub token.

626 node module suffers from a Path Traversal vulnerability due to lack of validation of file, which allows a malicious user to read content of any file with known path.

dcdcdcdcdc is a static file server. dcdcdcdcdc is vulnerable to a directory traversal issue, giving an attacker access to the filesystem by placing "../" in the url.

utahcityfinder constructs lists of Utah cities with a certain prefix. utahcityfinder is vulnerable to a directory traversal issue, giving an attacker access to the filesystem by placing "../" in the url.

tencent-server is a simple web server. tencent-server is vulnerable to a directory traversal issue, giving an attacker access to the filesystem by placing "../" in the url.

open-device creates a web interface for any device. open-device is vulnerable to a directory traversal issue, giving an attacker access to the filesystem by placing "../" in the url.

elding is a simple web server. elding is vulnerable to a directory traversal issue, allowing an attacker to access the filesystem by placing "../" in the url. The files accessible, however, are limited to files with a file extension. Sending a GET request to /../../../etc/passwd, for example, will return a 404 on etc/passwd/index.js.

liyujing is a static file server. liyujing is vulnerable to a directory traversal issue, giving an attacker access to the filesystem by placing "../" in the url.

list-n-stream is a server for static files to list and stream local videos. list-n-stream v0.0.10 or lower is vulnerable to a directory traversal issue, giving an attacker access to the filesystem by placing "../" in the url.

defaults-deep node module before 0.2.4 suffers from a Modification of Assumed-Immutable Data (MAID) vulnerability, which allows a malicious user to modify the prototype of "Object" via __proto__, causing the addition or modification of an existing property that will exist on all objects.

nodecaffe was a malicious module published with the intent to hijack environment variables. It has been unpublished by npm.

shadowsock was a malicious module published with the intent to hijack environment variables. It has been unpublished by npm.

The timespan module is vulnerable to regular expression denial of service. Given 50k characters of untrusted user input it will block the event loop for around 10 seconds.

cypserver is a static file server. cypserver is vulnerable to a directory traversal issue, giving an attacker access to the filesystem by placing "../" in the url.

looppake is a simple http server. looppake is vulnerable to a directory traversal issue, giving an attacker access to the filesystem by placing "../" in the url.

pytservce is a static file server. pytservce is vulnerable to a directory traversal issue, giving an attacker access to the filesystem by placing "../" in the url.

proxy.js was a malicious module published with the intent to hijack environment variables. It has been unpublished by npm.

enserver is a simple web server. enserver is vulnerable to a directory traversal issue, giving an attacker access to the filesystem by placing "../" in the url.

slug is a module to slugify strings, even if they contain unicode. slug is vulnerable to regular expression denial of service is specially crafted untrusted input is passed as input. About 50k characters can block the event loop for 2 seconds.

dylmomo is a simple file server. dylmomo is vulnerable to a directory traversal issue, giving an attacker access to the filesystem by placing "../" in the url.

The parsejson module is vulnerable to regular expression denial of service when untrusted user input is passed into it to be parsed.

cyber-js is a simple http server. A cyberjs server is vulnerable to a directory traversal issue, giving an attacker access to the filesystem by placing "../" in the url.

serverlyr is a simple http server. serverlyr is vulnerable to a directory traversal issue, giving an attacker access to the filesystem by placing "../" in the URL.

nodeaaaaa is a static file server. nodeaaaaa is vulnerable to a directory traversal issue, giving an attacker access to the filesystem by placing "../" in the url.

mfrs is a static file server. mfrs is vulnerable to a directory traversal issue, giving an attacker access to the filesystem by placing "../" in the url.

Sencisho is a simple http server for local development. Sencisho is vulnerable to a directory traversal issue, giving an attacker access to the filesystem by placing "../" in the URL.

openssl.js was a malicious module published with the intent to hijack environment variables. It has been unpublished by npm.

welcomyzt is a simple file server. welcomyzt is vulnerable to a directory traversal issue, giving an attacker access to the filesystem by placing "../" in the url.

charset 1.0.0 and below are vulnerable to regular expression denial of service. Input of around 50k characters is required for a slow down of around 2 seconds. Unless node was compiled using the -DHTTP_MAX_HEADER_SIZE= option the default header max length is 80kb, so the impact of the ReDoS is relatively low.

nodemailer.js was a malicious module published with the intent to hijack environment variables. It has been unpublished by npm.

method-override is a module used by the Express.js framework to let you use HTTP verbs such as PUT or DELETE in places where the client doesn't support it. method-override is vulnerable to a regular expression denial of service vulnerability when specially crafted input is passed in to be parsed via the X-HTTP-Method-Override header.

unicorn-list is a web framework. unicorn-list is vulnerable to a directory traversal issue, giving an attacker access to the filesystem by placing "../" in the url.

serverabc is a static file server. serverabc is vulnerable to a directory traversal issue, giving an attacker access to the filesystem by placing "../" in the url.

dmmcquay.lab6 is a REST server. dmmcquay.lab6 is vulnerable to a directory traversal issue, giving an attacker access to the filesystem by placing "../" in the url.

picard is a micro framework. picard is vulnerable to a directory traversal issue, giving an attacker access to the filesystem by placing "../" in the url.

myprolyz is a static file server. myprolyz is vulnerable to a directory traversal issue, giving an attacker access to the filesystem by placing "../" in the url.

whispercast is a file server. whispercast is vulnerable to a directory traversal issue, giving an attacker access to the filesystem by placing "../" in the url.

qinserve is a static file server. qinserve is vulnerable to a directory traversal issue, giving an attacker access to the filesystem by placing "../" in the url.

susu-sum is a static file server. susu-sum is vulnerable to a directory traversal issue, giving an attacker access to the filesystem by placing "../" in the url.

scott-blanch-weather-app is a sample Node.js app using Express 4. scott-blanch-weather-app is vulnerable to a directory traversal issue, giving an attacker access to the filesystem by placing "../" in the url.

shit-server is a file server. shit-server is vulnerable to a directory traversal issue, giving an attacker access to the filesystem by placing "../" in the url.

infraserver is a RESTful server. infraserver is vulnerable to a directory traversal issue, giving an attacker access to the filesystem by placing "../" in the url.

sgqserve is a simple file server. sgqserve is vulnerable to a directory traversal issue, giving an attacker access to the filesystem by placing "../" in the url.

crossenv was a malicious module published with the intent to hijack environment variables. It has been unpublished by npm.

cuciuci is a simple fileserver. cuciuci is vulnerable to a directory traversal issue, giving an attacker access to the filesystem by placing "../" in the url.

node-simple-router is a minimalistic router for Node. node-simple-router is vulnerable to a directory traversal issue, giving an attacker access to the filesystem by placing "../" in the URL.