├── .github ├── CODEOWNERS ├── dependabot.yml └── workflows │ ├── codeql.yml │ ├── dependency-review.yml │ ├── ossf-scorecard-reporting.yml │ ├── scorecard.yml │ ├── stale.yml │ ├── test.yml │ ├── update-core-index.yml │ ├── update-npm-index.yml │ └── validate-vulnerability.yml ├── .gitignore ├── CONTRIBUTING.md ├── GOVERNANCE.md ├── LICENSE.md ├── MAINTAINERS_THREAT_MODEL.md ├── README.md ├── meetings ├── 2016-12-02.md ├── 2016-12-22.md ├── 2017-01-05.md ├── 2017-03-02.md ├── 2017-07-13.md ├── 2017-08-10.md ├── 2017-10-12.md ├── 2017-11-02.md ├── 2017-11-30.md ├── 2018-01-04.md ├── 2018-01-25.md ├── 2018-02-22.md ├── 2018-03-22.md ├── 2018-04-19.md ├── 2018-05-17.md ├── 2018-06-14.md ├── 2018-07-12.md ├── 2018-08-09.md ├── 2018-09-06.md ├── 2018-10-04.md ├── 2018-11-05.md ├── 2018-12-03.md ├── 2019-01-03.md ├── 2019-02-25.md ├── 2019-03-25.md ├── 2019-04-22.md ├── 2019-06-17.md ├── 2019-07-15.md ├── 2019-12-02 ├── 2020-05-18.md ├── 2021-01-25.md ├── 2021-02-22.md ├── 2021-03-25.md ├── 2021-07-21.md ├── 2022-05-12.md ├── 2022-05-26.md ├── 2022-06-02.md ├── 2022-06-23.md ├── 2022-07-07.md ├── 2022-07-21.md ├── 2022-08-04.md ├── 2022-08-18.md ├── 2022-09-01.md ├── 2022-09-15.md ├── 2022-10-13.md ├── 2022-10-27.md ├── 2022-11-10.md ├── 2022-11-24.md ├── 2022-12-08.md ├── 2023-01-05.md ├── 2023-01-19.md ├── 2023-02-02.md ├── 2023-02-16.md ├── 2023-03-02.md ├── 2023-03-16.md ├── 2023-03-30.md ├── 2023-04-13.md ├── 2023-04-27.md ├── 2023-05-11.md ├── 2023-05-25.md ├── 2023-06-08.md ├── 2023-06-22.md ├── 2023-07-06.md ├── 2023-07-20.md ├── 2023-08-03.md ├── 2023-08-17.md ├── 2023-08-31.md ├── 2023-09-14.md ├── 2023-09-28.md ├── 2023-10-26.md ├── 2023-11-23.md ├── 2023-12-21.md ├── 2024-01-04.md ├── 2024-01-18.md ├── 2024-02-01.md ├── 2024-02-29.md ├── 2024-03-14.md ├── 2024-03-28.md ├── 2024-04-25.md ├── 2024-05-09.md ├── 2024-05-23.md ├── 2024-06-06.md ├── 2024-06-20.md ├── 2024-07-18.md ├── 2024-08-01.md ├── 2024-08-29.md ├── 2024-09-12.md ├── 2024-09-26.md ├── 2024-10-10.md ├── 2024-10-24.md ├── 2024-11-21.md ├── 2024-12-05.md ├── 2024-12-19.md ├── 2025-01-16.md ├── 2025-01-30.md ├── 2025-02-27.md ├── 2025-03-13.md ├── 2025-03-27.md ├── 2025-05-08.md └── nodejs-collab-summit │ └── nodejs-collab-summit-vancouve-2018.md ├── package-lock.json ├── package.json ├── processes ├── vuln_db.md ├── wg_offboarding.md └── wg_onboarding.md ├── test ├── fixtures │ ├── valid-vuln.json │ └── wrong-vuln.json └── validate-vuln.js ├── tools ├── README.md ├── create_index │ ├── create_core_index.js │ ├── create_npm_index.js │ └── index_generator.js ├── ossf_best_practices │ ├── passing_criteria.md │ └── silver_criteria.md ├── ossf_scorecard │ ├── database.json │ ├── report.md │ └── scope.json └── vuln_valid │ ├── index.js │ └── vulnValidate.js ├── votes └── initiatives-2024.json └── vuln ├── README.md ├── core ├── 1.json ├── 10.json ├── 100.json ├── 101.json ├── 102.json ├── 103.json ├── 104.json ├── 105.json ├── 106.json ├── 107.json ├── 108.json ├── 109.json ├── 11.json ├── 110.json ├── 111.json ├── 112.json ├── 113.json ├── 114.json ├── 115.json ├── 116.json ├── 117.json ├── 118.json ├── 119.json ├── 12.json ├── 120.json ├── 121.json ├── 122.json ├── 123.json ├── 124.json ├── 125.json ├── 126.json ├── 127.json ├── 128.json ├── 129.json ├── 13.json ├── 130.json ├── 131.json ├── 132.json ├── 133.json ├── 134.json ├── 135.json ├── 136.json ├── 137.json ├── 138.json ├── 139.json ├── 14.json ├── 140.json ├── 141.json ├── 142.json ├── 143.json ├── 144.json ├── 145.json ├── 146.json ├── 147.json ├── 148.json ├── 149.json ├── 15.json ├── 150.json ├── 151.json ├── 152.json ├── 153.json ├── 16.json ├── 17.json ├── 18.json ├── 19.json ├── 2.json ├── 20.json ├── 21.json ├── 22.json ├── 23.json ├── 24.json ├── 25.json ├── 26.json ├── 27.json ├── 28.json ├── 29.json ├── 3.json ├── 30.json ├── 31.json ├── 32.json ├── 33.json ├── 34.json ├── 35.json ├── 36.json ├── 37.json ├── 38.json ├── 39.json ├── 4.json ├── 40.json ├── 41.json ├── 42.json ├── 43.json ├── 44.json ├── 45.json ├── 46.json ├── 47.json ├── 48.json ├── 49.json ├── 5.json ├── 50.json ├── 51.json ├── 52.json ├── 53.json ├── 54.json ├── 55.json ├── 56.json ├── 57.json ├── 58.json ├── 59.json ├── 6.json ├── 60.json ├── 61.json ├── 62.json ├── 63.json ├── 64.json ├── 65.json ├── 66.json ├── 67.json ├── 68.json ├── 69.json ├── 7.json ├── 70.json ├── 71.json ├── 72.json ├── 73.json ├── 74.json ├── 75.json ├── 76.json ├── 77.json ├── 78.json ├── 79.json ├── 8.json ├── 80.json ├── 81.json ├── 82.json ├── 83.json ├── 84.json ├── 85.json ├── 86.json ├── 87.json ├── 88.json ├── 89.json ├── 9.json ├── 90.json ├── 91.json ├── 92.json ├── 93.json ├── 94.json ├── 95.json ├── 96.json ├── 97.json ├── 98.json ├── 99.json └── index.json ├── index.js └── npm ├── 1.json ├── 10.json ├── 100.json ├── 101.json ├── 102.json ├── 104.json ├── 106.json ├── 107.json ├── 108.json ├── 109.json ├── 11.json ├── 112.json ├── 113.json ├── 114.json ├── 115.json ├── 116.json ├── 117.json ├── 118.json ├── 12.json ├── 120.json ├── 121.json ├── 122.json ├── 123.json ├── 124.json ├── 125.json ├── 126.json ├── 127.json ├── 128.json ├── 129.json ├── 13.json ├── 130.json ├── 131.json ├── 132.json ├── 133.json ├── 134.json ├── 135.json ├── 136.json ├── 137.json ├── 138.json ├── 139.json ├── 14.json ├── 140.json ├── 143.json ├── 144.json ├── 145.json ├── 147.json ├── 148.json ├── 149.json ├── 15.json ├── 150.json ├── 151.json ├── 152.json ├── 153.json ├── 154.json ├── 155.json ├── 156.json ├── 157.json ├── 158.json ├── 159.json ├── 16.json ├── 160.json ├── 161.json ├── 162.json ├── 163.json ├── 164.json ├── 165.json ├── 166.json ├── 167.json ├── 168.json ├── 169.json ├── 17.json ├── 170.json ├── 171.json ├── 172.json ├── 173.json ├── 174.json ├── 175.json ├── 176.json ├── 177.json ├── 178.json ├── 179.json ├── 18.json ├── 180.json ├── 181.json ├── 182.json ├── 183.json ├── 184.json ├── 185.json ├── 186.json ├── 187.json ├── 188.json ├── 189.json ├── 19.json ├── 190.json ├── 192.json ├── 193.json ├── 194.json ├── 195.json ├── 196.json ├── 197.json ├── 198.json ├── 199.json ├── 2.json ├── 20.json ├── 200.json ├── 201.json ├── 202.json ├── 203.json ├── 204.json ├── 205.json ├── 206.json ├── 207.json ├── 208.json ├── 209.json ├── 21.json ├── 210.json ├── 211.json ├── 212.json ├── 213.json ├── 214.json ├── 215.json ├── 216.json ├── 217.json ├── 218.json ├── 219.json ├── 22.json ├── 220.json ├── 221.json ├── 222.json ├── 223.json ├── 224.json ├── 225.json ├── 226.json ├── 227.json ├── 228.json ├── 229.json ├── 23.json ├── 230.json ├── 231.json ├── 232.json ├── 233.json ├── 234.json ├── 235.json ├── 236.json ├── 237.json ├── 238.json ├── 239.json ├── 24.json ├── 240.json ├── 241.json ├── 242.json ├── 243.json ├── 244.json ├── 245.json ├── 246.json ├── 247.json ├── 248.json ├── 25.json ├── 250.json ├── 251.json ├── 252.json ├── 253.json ├── 254.json ├── 255.json ├── 256.json ├── 257.json ├── 258.json ├── 259.json ├── 26.json ├── 260.json ├── 261.json ├── 262.json ├── 263.json ├── 264.json ├── 265.json ├── 266.json ├── 267.json ├── 268.json ├── 269.json ├── 27.json ├── 270.json ├── 271.json ├── 272.json ├── 273.json ├── 274.json ├── 275.json ├── 276.json ├── 277.json ├── 278.json ├── 279.json ├── 28.json ├── 280.json ├── 281.json ├── 282.json ├── 283.json ├── 284.json ├── 285.json ├── 286.json ├── 287.json ├── 288.json ├── 289.json ├── 29.json ├── 290.json ├── 292.json ├── 293.json ├── 294.json ├── 295.json ├── 296.json ├── 297.json ├── 298.json ├── 299.json ├── 3.json ├── 30.json ├── 300.json ├── 301.json ├── 302.json ├── 303.json ├── 304.json ├── 305.json ├── 307.json ├── 308.json ├── 309.json ├── 31.json ├── 310.json ├── 311.json ├── 312.json ├── 313.json ├── 314.json ├── 315.json ├── 318.json ├── 319.json ├── 32.json ├── 321.json ├── 323.json ├── 324.json ├── 325.json ├── 326.json ├── 327.json ├── 328.json ├── 329.json ├── 33.json ├── 330.json ├── 331.json ├── 332.json ├── 334.json ├── 335.json ├── 336.json ├── 338.json ├── 34.json ├── 349.json ├── 35.json ├── 350.json ├── 356.json ├── 357.json ├── 358.json ├── 359.json ├── 36.json ├── 360.json ├── 361.json ├── 362.json ├── 363.json ├── 364.json ├── 365.json ├── 366.json ├── 367.json ├── 368.json ├── 369.json ├── 37.json ├── 370.json ├── 371.json ├── 372.json ├── 373.json ├── 374.json ├── 375.json ├── 376.json ├── 377.json ├── 378.json ├── 379.json ├── 38.json ├── 380.json ├── 381.json ├── 382.json ├── 383.json ├── 384.json ├── 385.json ├── 386.json ├── 387.json ├── 388.json ├── 389.json ├── 39.json ├── 390.json ├── 391.json ├── 392.json ├── 393.json ├── 394.json ├── 395.json ├── 396.json ├── 397.json ├── 398.json ├── 399.json ├── 4.json ├── 40.json ├── 400.json ├── 401.json ├── 402.json ├── 403.json ├── 404.json ├── 405.json ├── 406.json ├── 407.json ├── 408.json ├── 409.json ├── 41.json ├── 410.json ├── 411.json ├── 412.json ├── 413.json ├── 414.json ├── 415.json ├── 416.json ├── 417.json ├── 418.json ├── 419.json ├── 42.json ├── 420.json ├── 421.json ├── 422.json ├── 423.json ├── 424.json ├── 425.json ├── 426.json ├── 427.json ├── 428.json ├── 429.json ├── 43.json ├── 430.json ├── 431.json ├── 432.json ├── 433.json ├── 434.json ├── 435.json ├── 436.json ├── 437.json ├── 438.json ├── 439.json ├── 44.json ├── 441.json ├── 442.json ├── 443.json ├── 444.json ├── 445.json ├── 446.json ├── 447.json ├── 448.json ├── 449.json ├── 45.json ├── 450.json ├── 451.json ├── 454.json ├── 456.json ├── 457.json ├── 458.json ├── 459.json ├── 46.json ├── 460.json ├── 461.json ├── 463.json ├── 464.json ├── 465.json ├── 466.json ├── 467.json ├── 468.json ├── 469.json ├── 47.json ├── 470.json ├── 471.json ├── 472.json ├── 473.json ├── 474.json ├── 475.json ├── 476.json ├── 477.json ├── 478.json ├── 479.json ├── 48.json ├── 480.json ├── 481.json ├── 484.json ├── 485.json ├── 486.json ├── 487.json ├── 488.json ├── 489.json ├── 49.json ├── 490.json ├── 491.json ├── 492.json ├── 493.json ├── 494.json ├── 495.json ├── 496.json ├── 497.json ├── 498.json ├── 499.json ├── 5.json ├── 50.json ├── 500.json ├── 501.json ├── 502.json ├── 503.json ├── 504.json ├── 505.json ├── 506.json ├── 507.json ├── 508.json ├── 509.json ├── 51.json ├── 510.json ├── 511.json ├── 512.json ├── 513.json ├── 514.json ├── 515.json ├── 516.json ├── 517.json ├── 518.json ├── 519.json ├── 52.json ├── 53.json ├── 54.json ├── 55.json ├── 56.json ├── 57.json ├── 59.json ├── 60.json ├── 61.json ├── 62.json ├── 63.json ├── 64.json ├── 65.json ├── 66.json ├── 67.json ├── 68.json ├── 7.json ├── 74.json ├── 75.json ├── 76.json ├── 77.json ├── 8.json ├── 80.json ├── 81.json ├── 85.json ├── 86.json ├── 87.json ├── 88.json ├── 89.json ├── 9.json ├── 90.json ├── 91.json ├── 92.json ├── 93.json ├── 94.json ├── 95.json ├── 96.json ├── 97.json ├── 98.json ├── 99.json └── index.json /.github/CODEOWNERS: -------------------------------------------------------------------------------- 1 | # -- Node.js security ecosystem triage members 2 | # These owners will be automatically assigned to any PRs 3 | # opened for vulnerabilities to be added to the database 4 | # of the npm community ecosystem 5 | /vuln/npm/ @nodejs/ecosystem-security 6 | 7 | # Currently setting the same ecosystem team to help 8 | # review any core related PRs as well 9 | /vuln/core/ @mhdawson @rvagg @vdeturckheim @RafaelGSS 10 | 11 | # -- Node.js Security WG processes 12 | # Security WG members who'd like to automatically add 13 | # themselves to processes PR reviews should be added here 14 | /processes/ @vdeturckheim @lirantal @mhdawson @RafaelGSS 15 | -------------------------------------------------------------------------------- /.github/dependabot.yml: -------------------------------------------------------------------------------- 1 | version: 2 2 | updates: 3 | - package-ecosystem: npm 4 | directory: "/" 5 | schedule: 6 | interval: weekly 7 | open-pull-requests-limit: 10 8 | versioning-strategy: widen 9 | - package-ecosystem: github-actions 10 | directory: "/" 11 | schedule: 12 | interval: daily 13 | open-pull-requests-limit: 10 14 | -------------------------------------------------------------------------------- /package.json: -------------------------------------------------------------------------------- 1 | { 2 | "name": "security-wg", 3 | "version": "1.0.0", 4 | "scripts": { 5 | "test": "node --test", 6 | "validate": "node tools/vuln_valid", 7 | "create-npm-index": "node tools/create_index/create_npm_index.js", 8 | "create-core-index": "node tools/create_index/create_core_index.js" 9 | }, 10 | "keywords": [], 11 | "author": "", 12 | "license": "MIT", 13 | "dependencies": { 14 | "@pkgjs/nv": "^0.2.1", 15 | "joi": "^17.13.3", 16 | "semver": "^7.3.8" 17 | } 18 | } 19 | -------------------------------------------------------------------------------- /test/fixtures/valid-vuln.json: -------------------------------------------------------------------------------- 1 | { 2 | "cve": [ 3 | "CVE-0000-1234" 4 | ], 5 | "ref": "mock://mock.ref", 6 | "vulnerable": "8.x || 7.x || 4.x || 6.x || 5.x", 7 | "patched": "^8.1.4 || ^7.10.1 || ^4.8.4 || ^6.11.1", 8 | "description": "mocked core vulnerability overview", 9 | "overview": "mocked core vulnerability overview", 10 | "affectedEnvironments": ["all"], 11 | "severity": "medium" 12 | } 13 | -------------------------------------------------------------------------------- /test/fixtures/wrong-vuln.json: -------------------------------------------------------------------------------- 1 | { 2 | "cve": [ 3 | "MOCK-0000-1234" 4 | ], 5 | "ref": "mock://mock.ref", 6 | "vulnerable": "8.x || 7.x || 4.x || 6.x || 5.x", 7 | "patched": "^8.1.4 || ^7.10.1 || ^4.8.4 || ^6.11.1", 8 | "description": "mocked core vulnerability overview", 9 | "overview": "mocked core vulnerability overview" 10 | } 11 | -------------------------------------------------------------------------------- /test/validate-vuln.js: -------------------------------------------------------------------------------- 1 | 'use strict'; 2 | 3 | const { describe, it } = require('node:test'); 4 | const assert = require('node:assert'); 5 | const path = require('node:path'); 6 | 7 | const vulnValid = require('../tools/vuln_valid/vulnValidate'); 8 | 9 | const vulnPathsPass = path.resolve('./fixtures/valid-vuln'); 10 | const vulnPathsFail = path.resolve('./fixtures/wrong-vuln'); 11 | 12 | describe('Testing vuln_valid', () => { 13 | it('Testing validate for core', () => { 14 | // assert.doesNotThrow(() => 15 | // vulnValid.validateVuln( 16 | // vulnPathsPass, 17 | // vulnValid.coreModel 18 | // ) 19 | // ); 20 | // assert.throws(() => 21 | // vulnValid.validateVuln( 22 | // vulnPathsFail, 23 | // vulnValid.coreModel 24 | // ) 25 | // ); 26 | }); 27 | }); 28 | -------------------------------------------------------------------------------- /tools/README.md: -------------------------------------------------------------------------------- 1 | # Security WG Tooling 2 | 3 | In this directory you can find several tooling that will aid in validating NSWG vulnerability reports and creating them. 4 | 5 | ## Validating NSWG Reports 6 | 7 | `vuln_valid` ensures that a vulnerability report is structured according to NSWG guidelines and schema. 8 | It is currently used as the lint tool when `npm test` is ran in the project's top-level directory and validates both NSWG Ecosystem as well as NSWG Core vulnerability formats. 9 | 10 | Usage: 11 | 12 | ```bash 13 | $ node tools/vuln_valid 14 | ``` 15 | -------------------------------------------------------------------------------- /tools/create_index/create_core_index.js: -------------------------------------------------------------------------------- 1 | const generator = require('./index_generator') 2 | 3 | const coreVulnerabilitiesPath = './vuln/core/' 4 | 5 | generator(coreVulnerabilitiesPath) -------------------------------------------------------------------------------- /tools/create_index/create_npm_index.js: -------------------------------------------------------------------------------- 1 | const generator = require('./index_generator') 2 | 3 | const npmVulnerabilitiesPath = './vuln/npm/' 4 | 5 | generator(npmVulnerabilitiesPath) -------------------------------------------------------------------------------- /tools/vuln_valid/index.js: -------------------------------------------------------------------------------- 1 | "use strict"; 2 | 3 | const vulnValidate = require("./vulnValidate"); 4 | const vulnPaths = require("../../vuln").paths; 5 | 6 | vulnValidate.validate(vulnPaths.core, vulnValidate.coreModel); 7 | vulnValidate.validate(vulnPaths.npm, vulnValidate.npmModel); 8 | -------------------------------------------------------------------------------- /vuln/core/1.json: -------------------------------------------------------------------------------- 1 | { 2 | "cve": [ 3 | "CVE-2017-1000381" 4 | ], 5 | "ref": "https://nodejs.org/en/blog/vulnerability/july-2017-security-releases/", 6 | "vulnerable": "8.x || 7.x || 4.x || 6.x || 5.x", 7 | "patched": "^8.1.4 || ^7.10.1 || ^4.8.4 || ^6.11.1", 8 | "description": "memory overread when parsing invalid NAPTR responses", 9 | "overview": "The c-ares function ares_parse_naptr_reply(), which is used for parsing NAPTR\nresponses, could be triggered to read memory outside of the given input buffer\nif the passed in DNS response packet was crafted in a particular way.\n\n", 10 | "affectedEnvironments": [ 11 | "all" 12 | ], 13 | "severity": "unknown" 14 | } 15 | -------------------------------------------------------------------------------- /vuln/core/10.json: -------------------------------------------------------------------------------- 1 | { 2 | "cve": [ 3 | "CVE-2016-5172" 4 | ], 5 | "vulnerable": "6.x", 6 | "patched": "^6.9.0", 7 | "ref": "https://nodejs.org/en/blog/vulnerability/october-2016-security-releases/", 8 | "overview": "The V8 parser mishandled scopes, potentially allowing an attacker to obtain\nsensitive information from arbitrary memory locations via crafted JavaScript\ncode. This vulnerability would require an attacker to be able to execute\narbitrary JavaScript code in a Node.js process.\n\n", 9 | "affectedEnvironments": [ 10 | "all" 11 | ], 12 | "severity": "unknown" 13 | } 14 | -------------------------------------------------------------------------------- /vuln/core/100.json: -------------------------------------------------------------------------------- 1 | { 2 | "cve": [ 3 | "CVE-2022-35256" 4 | ], 5 | "vulnerable": "14.x || 16.x || 18.x", 6 | "patched": "^14.20.1 || ^16.17.1 || ^18.9.1", 7 | "ref": "https://nodejs.org/en/blog/vulnerability/september-2022-security-releases/", 8 | "overview": "The llhttp parser in the http module in Node.js v18.7.0 does not correctly handle header fields that are not terminated with CLRF. This may result in HTTP Request Smuggling.", 9 | "affectedEnvironments": [ 10 | "all" 11 | ], 12 | "severity": "medium" 13 | } 14 | -------------------------------------------------------------------------------- /vuln/core/101.json: -------------------------------------------------------------------------------- 1 | { 2 | "cve": [ 3 | "CVE-2022-35255" 4 | ], 5 | "vulnerable": "18.x", 6 | "patched": "^18.9.1", 7 | "ref": "https://nodejs.org/en/blog/vulnerability/september-2022-security-releases/", 8 | "overview": "Node.js made calls to EntropySource() in SecretKeyGenTraits::DoKeyGen() in src/crypto/crypto_keygen.cc. However, it does not check the return value, it assumes EntropySource() always succeeds, but it can (and sometimes will) fail.", 9 | "affectedEnvironments": [ 10 | "all" 11 | ], 12 | "severity": "high" 13 | } 14 | -------------------------------------------------------------------------------- /vuln/core/102.json: -------------------------------------------------------------------------------- 1 | { 2 | "cve": [ 3 | "CVE-2022-43548" 4 | ], 5 | "vulnerable": "14.x || 16.x || 18.x || 19.x", 6 | "patched": "^14.21.1 || ^16.18.1 || ^18.12.1 || ^19.0.1", 7 | "ref": "https://nodejs.org/en/blog/vulnerability/november-2022-security-releases/", 8 | "overview": "The Node.js rebinding protector for --inspect still allows invalid IP address, specifically, the octal format.", 9 | "affectedEnvironments": [ 10 | "all" 11 | ], 12 | "severity": "medium" 13 | } 14 | -------------------------------------------------------------------------------- /vuln/core/103.json: -------------------------------------------------------------------------------- 1 | { 2 | "cve": [ 3 | "CVE-2023-23918" 4 | ], 5 | "vulnerable": "14.x || 16.x || 18.x || 19.x", 6 | "patched": "^14.21.3 || ^16.19.1 || ^18.14.1 || ^19.6.1", 7 | "ref": "https://nodejs.org/en/blog/vulnerability/february-2023-security-releases/", 8 | "overview": "It was possible to bypass Permissions and access non authorized modules by using process.mainModule.require(). This only affects users who had enabled the experimental permissions option with --experimental-policy.", 9 | "affectedEnvironments": [ 10 | "all" 11 | ], 12 | "severity": "high" 13 | } 14 | -------------------------------------------------------------------------------- /vuln/core/104.json: -------------------------------------------------------------------------------- 1 | { 2 | "cve": [ 3 | "CVE-2023-23919" 4 | ], 5 | "vulnerable": "14.x || 16.x || 18.x || 19.x", 6 | "patched": "^14.21.3 || ^16.19.1 || ^18.14.1 || ^19.2.0", 7 | "ref": "https://nodejs.org/en/blog/vulnerability/february-2023-security-releases/", 8 | "overview": "In some cases Node.js did does not clear the OpenSSL error stack after operations that may set it. This may lead to false positive errors during subsequent cryptographic operations that happen to be on the same thread. This in turn could be used to cause a denial of service.", 9 | "affectedEnvironments": [ 10 | "all" 11 | ], 12 | "severity": "medium" 13 | } 14 | -------------------------------------------------------------------------------- /vuln/core/105.json: -------------------------------------------------------------------------------- 1 | { 2 | "cve": [ 3 | "CVE-2023-23936" 4 | ], 5 | "vulnerable": "14.x || 16.x || 18.x || 19.x", 6 | "patched": "^14.21.3 || ^16.19.1 || ^18.14.1 || ^19.6.1", 7 | "ref": "https://nodejs.org/en/blog/vulnerability/february-2023-security-releases/", 8 | "overview": "The fetch API in Node.js did not prevent CRLF injection in the 'host' header potentially allowing attacks such as HTTP response splitting and HTTP header injection.", 9 | "affectedEnvironments": [ 10 | "all" 11 | ], 12 | "severity": "medium" 13 | } 14 | -------------------------------------------------------------------------------- /vuln/core/106.json: -------------------------------------------------------------------------------- 1 | { 2 | "cve": [ 3 | "CVE-2023-24807" 4 | ], 5 | "vulnerable": "14.x || 16.x || 18.x || 19.x", 6 | "patched": "^14.21.3 || ^16.19.1 || ^18.14.1 || ^19.6.1", 7 | "ref": "https://nodejs.org/en/blog/vulnerability/february-2023-security-releases/", 8 | "overview": "The Headers.set() and Headers.append() methods in the fetch API in Node.js where vulnerable to Regular a Expression Denial of Service (ReDoS) attacks.", 9 | "affectedEnvironments": [ 10 | "all" 11 | ], 12 | "severity": "low" 13 | } 14 | -------------------------------------------------------------------------------- /vuln/core/107.json: -------------------------------------------------------------------------------- 1 | { 2 | "cve": [ 3 | "CVE-2023-23920" 4 | ], 5 | "vulnerable": "14.x || 16.x || 18.x || 19.x", 6 | "patched": "^14.21.3 || ^16.19.1 || ^18.14.1 || ^19.6.1", 7 | "ref": "https://nodejs.org/en/blog/vulnerability/february-2023-security-releases/", 8 | "overview": "Node.js would search and potentially load ICU data when running with elevated priviledges. Node.js was modified to build with ICU_NO_USER_DATA_OVERRIDE to avoid this.", 9 | "affectedEnvironments": [ 10 | "all" 11 | ], 12 | "severity": "low" 13 | } 14 | -------------------------------------------------------------------------------- /vuln/core/108.json: -------------------------------------------------------------------------------- 1 | { 2 | "cve": [ 3 | "CVE-2023-30581" 4 | ], 5 | "vulnerable": "16.x || 18.x || 20.x", 6 | "patched": "^16.20.1 || ^18.16.1 || ^20.3.1", 7 | "ref": "https://nodejs.org/en/blog/vulnerability/june-2023-security-releases/", 8 | "overview": "The use of proto in process.mainModule.proto.require() can bypass the policy mechanism and require modules outside of the policy.json definition", 9 | "affectedEnvironments": [ 10 | "all" 11 | ], 12 | "severity": "high" 13 | } 14 | -------------------------------------------------------------------------------- /vuln/core/109.json: -------------------------------------------------------------------------------- 1 | { 2 | "cve": [ 3 | "CVE-2023-30582" 4 | ], 5 | "vulnerable": "20.x", 6 | "patched": "^20.3.1", 7 | "ref": "https://nodejs.org/en/blog/vulnerability/june-2023-security-releases/", 8 | "overview": "A vulnerability has been identified in Node.js version 20, affecting users of the experimental permission model when the --allow-fs-read flag is used with a non-* argument.", 9 | "affectedEnvironments": [ 10 | "all" 11 | ], 12 | "severity": "medium" 13 | } 14 | -------------------------------------------------------------------------------- /vuln/core/11.json: -------------------------------------------------------------------------------- 1 | { 2 | "cve": [], 3 | "vulnerable": "6.x", 4 | "patched": "^6.9.0", 5 | "ref": "https://nodejs.org/en/blog/vulnerability/october-2016-security-releases/", 6 | "author": "Jann Horn", 7 | "description": "unauthorized clients can easily access inspector port", 8 | "overview": "Generate a UUID for each execution of the inspector. This provides additional\nsecurity to prevent unauthorized clients from connecting to the Node.js process\nvia the v8_inspector port when running with `--inspect`. Since the debugging\nprotocol allows extensive access to the internals of a running process, and the\nexecution of arbitrary code, it is important to limit connections to authorized\ntools only.\n\n", 9 | "affectedEnvironments": [ 10 | "all" 11 | ], 12 | "severity": "medium" 13 | } 14 | -------------------------------------------------------------------------------- /vuln/core/110.json: -------------------------------------------------------------------------------- 1 | { 2 | "cve": [ 3 | "CVE-2023-30583" 4 | ], 5 | "vulnerable": "20.x", 6 | "patched": "^20.3.1", 7 | "ref": "https://nodejs.org/en/blog/vulnerability/june-2023-security-releases/", 8 | "overview": "fs.openAsBlob() can bypass the experimental permission model when using the file system read restriction with the --allow-fs-read flag in Node.js 20", 9 | "affectedEnvironments": [ 10 | "all" 11 | ], 12 | "severity": "medium" 13 | } 14 | -------------------------------------------------------------------------------- /vuln/core/111.json: -------------------------------------------------------------------------------- 1 | { 2 | "cve": [ 3 | "CVE-2023-30584" 4 | ], 5 | "vulnerable": "20.x", 6 | "patched": "^20.3.1", 7 | "ref": "https://nodejs.org/en/blog/vulnerability/june-2023-security-releases/", 8 | "overview": "A vulnerability has been discovered in Node.js version 20, specifically within the experimental permission model. This flaw relates to improper handling of path traversal bypass when verifying file permissions.", 9 | "affectedEnvironments": [ 10 | "all" 11 | ], 12 | "severity": "high" 13 | } 14 | -------------------------------------------------------------------------------- /vuln/core/112.json: -------------------------------------------------------------------------------- 1 | { 2 | "cve": [ 3 | "CVE-2023-30585" 4 | ], 5 | "vulnerable": "16.x || 18.x || 20.x", 6 | "patched": "^16.20.1 || ^18.16.1 || ^20.3.1", 7 | "ref": "https://nodejs.org/en/blog/vulnerability/june-2023-security-releases/", 8 | "overview": "Privilege escalation via Malicious Registry Key manipulation during Node.js installer repair process", 9 | "affectedEnvironments": [ 10 | "win32" 11 | ], 12 | "severity": "medium" 13 | } 14 | -------------------------------------------------------------------------------- /vuln/core/113.json: -------------------------------------------------------------------------------- 1 | { 2 | "cve": [ 3 | "CVE-2023-30586" 4 | ], 5 | "vulnerable": "20.x", 6 | "patched": "^20.3.1", 7 | "ref": "https://nodejs.org/en/blog/vulnerability/june-2023-security-releases/", 8 | "overview": "Node.js 20 allows loading arbitrary OpenSSL engines when the experimental permission model is enabled, which can bypass and/or disable the permission model.", 9 | "affectedEnvironments": [ 10 | "all" 11 | ], 12 | "severity": "medium" 13 | } 14 | -------------------------------------------------------------------------------- /vuln/core/114.json: -------------------------------------------------------------------------------- 1 | { 2 | "cve": [ 3 | "CVE-2023-30587" 4 | ], 5 | "vulnerable": "20.x", 6 | "patched": "^20.3.1", 7 | "ref": "https://nodejs.org/en/blog/vulnerability/june-2023-security-releases/", 8 | "overview": "A vulnerability in Node.js version 20 allows for bypassing restrictions set by the --experimental-permission flag using the built-in inspector module (node:inspector).", 9 | "affectedEnvironments": [ 10 | "all" 11 | ], 12 | "severity": "high" 13 | } 14 | -------------------------------------------------------------------------------- /vuln/core/115.json: -------------------------------------------------------------------------------- 1 | { 2 | "cve": [ 3 | "CVE-2023-30589" 4 | ], 5 | "vulnerable": "16.x || 18.x || 20.x", 6 | "patched": "^16.20.1 || ^18.16.1 || ^20.3.1", 7 | "ref": "https://nodejs.org/en/blog/vulnerability/june-2023-security-releases/", 8 | "overview": "The llhttp parser in the http module in Node.js does not strictly use the CRLF sequence to delimit HTTP requests.", 9 | "affectedEnvironments": [ 10 | "all" 11 | ], 12 | "severity": "medium" 13 | } 14 | -------------------------------------------------------------------------------- /vuln/core/116.json: -------------------------------------------------------------------------------- 1 | { 2 | "cve": [ 3 | "CVE-2023-30588" 4 | ], 5 | "vulnerable": "16.x || 18.x || 20.x", 6 | "patched": "^16.20.1 || ^18.16.1 || ^20.3.1", 7 | "ref": "https://nodejs.org/en/blog/vulnerability/june-2023-security-releases/", 8 | "overview": "When an invalid public key is used to create an x509 certificate using the crypto.X509Certificate() API a non-expect termination occurs.", 9 | "affectedEnvironments": [ 10 | "all" 11 | ], 12 | "severity": "medium" 13 | } 14 | -------------------------------------------------------------------------------- /vuln/core/117.json: -------------------------------------------------------------------------------- 1 | { 2 | "cve": [ 3 | "CVE-2023-30590" 4 | ], 5 | "vulnerable": "16.x || 18.x || 20.x", 6 | "patched": "^16.20.1 || ^18.16.1 || ^20.3.1", 7 | "ref": "https://nodejs.org/en/blog/vulnerability/june-2023-security-releases/", 8 | "overview": "The generateKeys() API function returned from crypto.createDiffieHellman() only generates missing (or outdated) keys, that is, it only generates a private key if none has been set yet.", 9 | "affectedEnvironments": [ 10 | "all" 11 | ], 12 | "severity": "medium" 13 | } 14 | -------------------------------------------------------------------------------- /vuln/core/118.json: -------------------------------------------------------------------------------- 1 | { 2 | "cve": [ 3 | "CVE-2023-32002" 4 | ], 5 | "vulnerable": "16.x || 18.x || 20.x", 6 | "patched": "^16.20.2 || ^18.17.1 || ^20.5.1", 7 | "ref": "https://nodejs.org/en/blog/vulnerability/august-2023-security-releases/", 8 | "overview": "The use of Module._load() can bypass the policy mechanism and require modules outside of the policy.json definition for a given module.", 9 | "affectedEnvironments": [ 10 | "all" 11 | ], 12 | "severity": "unknown" 13 | } 14 | -------------------------------------------------------------------------------- /vuln/core/119.json: -------------------------------------------------------------------------------- 1 | { 2 | "cve": [ 3 | "CVE-2023-32004" 4 | ], 5 | "vulnerable": "20.x", 6 | "patched": "^20.5.1", 7 | "ref": "https://nodejs.org/en/blog/vulnerability/august-2023-security-releases/", 8 | "overview": "Improper handling of Buffers in file system APIs causing a traversal path to bypass when verifying file permissions.", 9 | "affectedEnvironments": [ 10 | "all" 11 | ], 12 | "severity": "unknown" 13 | } 14 | -------------------------------------------------------------------------------- /vuln/core/12.json: -------------------------------------------------------------------------------- 1 | { 2 | "cve": [ 3 | "CVE-2016-6304" 4 | ], 5 | "ref": "https://github.com/nodejs/node/pull/8714", 6 | "vulnerable": "6.x || 5.x || 4.x", 7 | "patched": "^6.7.0 || ^4.6.0", 8 | "description": "openssl 1.0.2h vulnerabilities", 9 | "overview": "A malicious client can exhaust a server's memory, resulting in a denial of\nservice (DoS) by sending very large OCSP Status Request extensions in a single\nsession.\n\nThis flaw is labelled high severity due to the ease of use for a DoS attack and\nNode.js servers using TLS are vulnerable.\n\n", 10 | "affectedEnvironments": [ 11 | "all" 12 | ], 13 | "severity": "unknown" 14 | } 15 | -------------------------------------------------------------------------------- /vuln/core/120.json: -------------------------------------------------------------------------------- 1 | { 2 | "cve": [ 3 | "CVE-2023-32558" 4 | ], 5 | "vulnerable": "20.x", 6 | "patched": "^20.5.1", 7 | "ref": "https://nodejs.org/en/blog/vulnerability/august-2023-security-releases/", 8 | "overview": "The use of the deprecated API process.binding() can bypass the permission model through path traversal.", 9 | "affectedEnvironments": [ 10 | "all" 11 | ], 12 | "severity": "unknown" 13 | } 14 | -------------------------------------------------------------------------------- /vuln/core/121.json: -------------------------------------------------------------------------------- 1 | { 2 | "cve": [ 3 | "CVE-2023-32006" 4 | ], 5 | "vulnerable": "16.x || 18.x || 20.x", 6 | "patched": "^16.20.2 || ^18.17.1 || ^20.5.1", 7 | "ref": "https://nodejs.org/en/blog/vulnerability/august-2023-security-releases/", 8 | "overview": "The use of module.constructor.createRequire() can bypass the policy mechanism and require modules outside of the policy.json definition for a given module.", 9 | "affectedEnvironments": [ 10 | "all" 11 | ], 12 | "severity": "unknown" 13 | } 14 | -------------------------------------------------------------------------------- /vuln/core/122.json: -------------------------------------------------------------------------------- 1 | { 2 | "cve": [ 3 | "CVE-2023-32559" 4 | ], 5 | "vulnerable": "16.x || 18.x || 20.x", 6 | "patched": "^16.20.2 || ^18.17.1 || ^20.5.1", 7 | "ref": "https://nodejs.org/en/blog/vulnerability/august-2023-security-releases/", 8 | "overview": "The use of the deprecated API process.binding() can bypass the policy mechanism by requiring internal modules and eventually take advantage of process.binding('spawn_sync') run arbitrary code, outside of the limits defined in a policy.json file.", 9 | "affectedEnvironments": [ 10 | "all" 11 | ], 12 | "severity": "unknown" 13 | } 14 | -------------------------------------------------------------------------------- /vuln/core/123.json: -------------------------------------------------------------------------------- 1 | { 2 | "cve": [ 3 | "CVE-2023-32005" 4 | ], 5 | "vulnerable": "20.x", 6 | "patched": "^20.5.1", 7 | "ref": "https://nodejs.org/en/blog/vulnerability/august-2023-security-releases/", 8 | "overview": "A vulnerability has been identified in Node.js version 20, affecting users of the experimental permission model when the --allow-fs-read flag is used with a non-* argument.", 9 | "affectedEnvironments": [ 10 | "all" 11 | ], 12 | "severity": "unknown" 13 | } 14 | -------------------------------------------------------------------------------- /vuln/core/124.json: -------------------------------------------------------------------------------- 1 | { 2 | "cve": [ 3 | "CVE-2023-32003" 4 | ], 5 | "vulnerable": "20.x", 6 | "patched": "^20.5.1", 7 | "ref": "https://nodejs.org/en/blog/vulnerability/august-2023-security-releases/", 8 | "overview": "fs.mkdtemp() and fs.mkdtempSync() can be used to bypass the permission model check using a path traversal attack.", 9 | "affectedEnvironments": [ 10 | "all" 11 | ], 12 | "severity": "unknown" 13 | } 14 | -------------------------------------------------------------------------------- /vuln/core/125.json: -------------------------------------------------------------------------------- 1 | { 2 | "cve": [ 3 | "CVE-2023-45143" 4 | ], 5 | "vulnerable": "18.x || 20.x", 6 | "patched": "^18.18.2 || ^20.8.1", 7 | "ref": "https://nodejs.org/en/blog/vulnerability/october-2023-security-releases/", 8 | "overview": "Cookie headers are not cleared in cross-domain redirect in undici-fetch (High)", 9 | "affectedEnvironments": [ 10 | "all" 11 | ], 12 | "severity": "low" 13 | } 14 | -------------------------------------------------------------------------------- /vuln/core/126.json: -------------------------------------------------------------------------------- 1 | { 2 | "cve": [ 3 | "CVE-2023-44487" 4 | ], 5 | "vulnerable": "18.x || 20.x", 6 | "patched": "^18.18.2 || ^20.8.1", 7 | "ref": "https://nodejs.org/en/blog/vulnerability/october-2023-security-releases/", 8 | "overview": "Rapidly creating and cancelling streams (HEADERS frame immediately followed by RST_STREAM) without bound causes denial of service (High)", 9 | "affectedEnvironments": [ 10 | "all" 11 | ], 12 | "severity": "high" 13 | } 14 | -------------------------------------------------------------------------------- /vuln/core/127.json: -------------------------------------------------------------------------------- 1 | { 2 | "cve": [ 3 | "CVE-2023-39331" 4 | ], 5 | "vulnerable": "20.x", 6 | "patched": "^20.8.1", 7 | "ref": "https://nodejs.org/en/blog/vulnerability/october-2023-security-releases/", 8 | "overview": "A previously disclosed vulnerability (CVE-2023-30584) was patched insufficiently. The implementation does not protect itself against the application overwriting built-in utility functions with user-defined implementations (High)", 9 | "affectedEnvironments": [ 10 | "all" 11 | ], 12 | "severity": "high" 13 | } 14 | -------------------------------------------------------------------------------- /vuln/core/128.json: -------------------------------------------------------------------------------- 1 | { 2 | "cve": [ 3 | "CVE-2023-39332" 4 | ], 5 | "vulnerable": "20.x", 6 | "patched": "^20.8.1", 7 | "ref": "https://nodejs.org/en/blog/vulnerability/october-2023-security-releases/", 8 | "overview": "Path traversal through path stored in Uint8Array (High)", 9 | "affectedEnvironments": [ 10 | "all" 11 | ], 12 | "severity": "high" 13 | } 14 | -------------------------------------------------------------------------------- /vuln/core/129.json: -------------------------------------------------------------------------------- 1 | { 2 | "cve": [ 3 | "CVE-2023-38552" 4 | ], 5 | "vulnerable": "18.x || 20.x", 6 | "patched": "^18.18.2 || ^20.8.1", 7 | "ref": "https://nodejs.org/en/blog/vulnerability/october-2023-security-releases/", 8 | "overview": "Integrity checks according to experimental policies can be circumvented (Medium)", 9 | "affectedEnvironments": [ 10 | "all" 11 | ], 12 | "severity": "medium" 13 | } 14 | -------------------------------------------------------------------------------- /vuln/core/13.json: -------------------------------------------------------------------------------- 1 | { 2 | "cve": [ 3 | "CVE-2016-2183" 4 | ], 5 | "ref": "https://github.com/nodejs/node/pull/8714", 6 | "vulnerable": "6.x || 5.x || 4.x", 7 | "patched": "^6.7.0 || ^4.6.0", 8 | "description": "openssl 1.0.2h vulnerabilities", 9 | "overview": "SWEET32 is a new attack on older block cipher algorithms that use a block size\nof 64 bits.\n\nAs mitigation, OpenSSL has moved DES-based ciphers from the HIGH to MEDIUM\ngroup. As Node.js includes HIGH, but not MEDIUM, in its default suite, affected\nciphers are no longer included unless the default suite is not used. Node's\ndefault TLS cipher suite can be found in the API documentation.\n\n", 10 | "affectedEnvironments": [ 11 | "all" 12 | ], 13 | "severity": "unknown" 14 | } 15 | -------------------------------------------------------------------------------- /vuln/core/130.json: -------------------------------------------------------------------------------- 1 | { 2 | "cve": [ 3 | "CVE-2023-39333" 4 | ], 5 | "vulnerable": "18.x || 20.x", 6 | "patched": "^18.18.2 || ^20.8.1", 7 | "ref": "https://nodejs.org/en/blog/vulnerability/october-2023-security-releases/", 8 | "overview": "Code injection via WebAssembly export names (Low)", 9 | "affectedEnvironments": [ 10 | "all" 11 | ], 12 | "severity": "low" 13 | } 14 | -------------------------------------------------------------------------------- /vuln/core/131.json: -------------------------------------------------------------------------------- 1 | { 2 | "cve": [ 3 | "CVE-2023-46809" 4 | ], 5 | "vulnerable": "18.x || 20.x || 21.x", 6 | "patched": "^18.19.1 || ^20.11.1 || ^21.6.2", 7 | "ref": "https://nodejs.org/en/blog/vulnerability/february-2024-security-releases/", 8 | "overview": "A vulnerability in the privateDecrypt() API of the crypto library, allowed a covert timing side-channel during PKCS#1 v1.5 padding error handling.", 9 | "affectedEnvironments": [ 10 | "all" 11 | ], 12 | "severity": "medium" 13 | } 14 | -------------------------------------------------------------------------------- /vuln/core/132.json: -------------------------------------------------------------------------------- 1 | { 2 | "cve": [ 3 | "CVE-2024-21891" 4 | ], 5 | "vulnerable": "20.x || 21.x", 6 | "patched": "^20.11.1 || ^21.6.2", 7 | "ref": "https://nodejs.org/en/blog/vulnerability/february-2024-security-releases/", 8 | "overview": "Node.js depends on multiple built-in utility functions to normalize paths provided to node:fs functions, which can be overwitten with user-defined implementations leading to filesystem permission model bypass through path traversal attack.", 9 | "affectedEnvironments": [ 10 | "all" 11 | ], 12 | "severity": "medium" 13 | } 14 | -------------------------------------------------------------------------------- /vuln/core/133.json: -------------------------------------------------------------------------------- 1 | { 2 | "cve": [ 3 | "CVE-2024-21890" 4 | ], 5 | "vulnerable": "20.x || 21.x", 6 | "patched": "^20.11.1 || ^21.6.2", 7 | "ref": "https://nodejs.org/en/blog/vulnerability/february-2024-security-releases/", 8 | "overview": "Improper handling of wildcards in --allow-fs-read and --allow-fs-write", 9 | "affectedEnvironments": [ 10 | "all" 11 | ], 12 | "severity": "medium" 13 | } 14 | -------------------------------------------------------------------------------- /vuln/core/134.json: -------------------------------------------------------------------------------- 1 | { 2 | "cve": [ 3 | "CVE-2024-21892" 4 | ], 5 | "vulnerable": "18.x || 20.x || 21.x", 6 | "patched": "^18.19.1 || ^20.11.1 || ^21.6.2", 7 | "ref": "https://nodejs.org/en/blog/vulnerability/february-2024-security-releases/", 8 | "overview": "Code injection and privilege escalation through Linux capabilities", 9 | "affectedEnvironments": [ 10 | "all" 11 | ], 12 | "severity": "high" 13 | } 14 | -------------------------------------------------------------------------------- /vuln/core/135.json: -------------------------------------------------------------------------------- 1 | { 2 | "cve": [ 3 | "CVE-2024-22019" 4 | ], 5 | "vulnerable": "18.x || 20.x || 21.x", 6 | "patched": "^18.19.1 || ^20.11.1 || ^21.6.2", 7 | "ref": "https://nodejs.org/en/blog/vulnerability/february-2024-security-releases/", 8 | "overview": "A vulnerability in Node.js HTTP servers allows an attacker to send a specially crafted HTTP request with chunked encoding, leading to resource exhaustion and denial of service (DoS).", 9 | "affectedEnvironments": [ 10 | "all" 11 | ], 12 | "severity": "high" 13 | } 14 | -------------------------------------------------------------------------------- /vuln/core/136.json: -------------------------------------------------------------------------------- 1 | { 2 | "cve": [ 3 | "CVE-2024-21896" 4 | ], 5 | "vulnerable": "20.x || 21.x", 6 | "patched": "^20.11.1 || ^21.6.2", 7 | "ref": "https://nodejs.org/en/blog/vulnerability/february-2024-security-releases/", 8 | "overview": "The permission model protects itself against path traversal attacks by calling path.resolve() on any paths given by the user. If the path is to be treated as a Buffer, the implementation uses Buffer.from() to obtain a Buffer from the result of path.resolve().", 9 | "affectedEnvironments": [ 10 | "all" 11 | ], 12 | "severity": "high" 13 | } 14 | -------------------------------------------------------------------------------- /vuln/core/137.json: -------------------------------------------------------------------------------- 1 | { 2 | "cve": [ 3 | "CVE-2024-22017" 4 | ], 5 | "vulnerable": "20.x || 21.x", 6 | "patched": "^20.11.1 || ^21.6.2", 7 | "ref": "https://nodejs.org/en/blog/vulnerability/february-2024-security-releases/", 8 | "overview": "setuid() does not affect libuv's internal io_uring operations if initialized before the call to setuid(). This allows the process to perform privileged operations despite presumably having dropped such privileges through a call to setuid()", 9 | "affectedEnvironments": [ 10 | "all" 11 | ], 12 | "severity": "high" 13 | } 14 | -------------------------------------------------------------------------------- /vuln/core/138.json: -------------------------------------------------------------------------------- 1 | { 2 | "cve": [ 3 | "CVE-2024-22025" 4 | ], 5 | "vulnerable": "18.x || 20.x || 21.x", 6 | "patched": "^18.19.1 || ^20.11.1 || ^21.6.2", 7 | "ref": "https://nodejs.org/en/blog/vulnerability/february-2024-security-releases/", 8 | "overview": "A vulnerability in Node.js has been identified, allowing for a Denial of Service (DoS) attack through resource exhaustion when using the fetch() function to retrieve content from an untrusted URL.", 9 | "affectedEnvironments": [ 10 | "all" 11 | ], 12 | "severity": "unknown" 13 | } 14 | -------------------------------------------------------------------------------- /vuln/core/139.json: -------------------------------------------------------------------------------- 1 | { 2 | "cve": [ 3 | "CVE-2024-27983" 4 | ], 5 | "vulnerable": "18.x || 20.x || 21.x", 6 | "patched": "^18.20.1 || ^20.12.1 || ^21.7.2", 7 | "ref": "https://nodejs.org/en/blog/vulnerability/april-2024-security-releases/", 8 | "description": "Assertion failed in node::http2::Http2Session::~Http2Session() leads to HTTP/2 server crash", 9 | "overview": "An attacker can make the Node.js HTTP/2 server completely unavailable by sending a small amount of HTTP/2 frames packets with a few HTTP/2 frames inside. It is possible to leave some data in nghttp2 memory after reset when headers with HTTP/2 CONTINUATION frame are sent to the server and then a TCP connection is abruptly closed by the client triggering the Http2Session destructor while header frames are still being processed (and stored in memory) causing a race condition.", 10 | "affectedEnvironments": [ 11 | "all" 12 | ], 13 | "severity": "high" 14 | } 15 | -------------------------------------------------------------------------------- /vuln/core/14.json: -------------------------------------------------------------------------------- 1 | { 2 | "cve": [ 3 | "CVE-2016-6303" 4 | ], 5 | "ref": "https://github.com/nodejs/node/pull/8714", 6 | "vulnerable": "6.x || 5.x || 4.x", 7 | "patched": "^6.7.0 || ^4.6.0", 8 | "description": "openssl 1.0.2h vulnerabilities", 9 | "overview": "An overflow can occur in MDC2_Update() under certain circumstances resulting in\nan out of bounds (OOB) error. This attack is impractical on most platforms due\nto the size of data required to trigger the OOB error.\n\nNode.js is impacted by this flaw but due to the impracticalities of exploiting\nit and the very low usage of of MDC-2, it is very low severity for Node.js\nusers.\n\n", 10 | "affectedEnvironments": [ 11 | "all" 12 | ], 13 | "severity": "unknown" 14 | } 15 | -------------------------------------------------------------------------------- /vuln/core/140.json: -------------------------------------------------------------------------------- 1 | { 2 | "cve": [ 3 | "CVE-2024-27982" 4 | ], 5 | "vulnerable": "18.x || 20.x || 21.x", 6 | "patched": "^18.20.1 || ^20.12.1 || ^21.7.2", 7 | "ref": "https://nodejs.org/en/blog/vulnerability/april-2024-security-releases/", 8 | "description": "HTTP Request Smuggling via Content Length Obfuscation", 9 | "overview": "The team has identified a critical vulnerability in the http server of the most recent version of Node, where malformed headers can lead to HTTP request smuggling. Specifically, if a space is placed before a content-length header, it is not interpreted correctly, enabling attackers to smuggle in a second request within the body of the first.", 10 | "affectedEnvironments": [ 11 | "all" 12 | ], 13 | "severity": "medium" 14 | } 15 | -------------------------------------------------------------------------------- /vuln/core/141.json: -------------------------------------------------------------------------------- 1 | { 2 | "cve": [ 3 | "CVE-2024-27982" 4 | ], 5 | "vulnerable": "18.x || 20.x || 21.x", 6 | "patched": "^18.20.2 || ^20.12.2 || ^21.7.3", 7 | "ref": "https://nodejs.org/en/blog/vulnerability/april-2024-security-releases-2/", 8 | "overview": "Due to the improper handling of batch files in child_process.spawn / child_process.spawnSync, a malicious command line argument can inject arbitrary commands and achieve code execution even if the shell option is not enabled.", 9 | "affectedEnvironments": [ 10 | "win32" 11 | ], 12 | "severity": "medium" 13 | } 14 | -------------------------------------------------------------------------------- /vuln/core/143.json: -------------------------------------------------------------------------------- 1 | { 2 | "cve": [ 3 | "CVE-2024-36138" 4 | ], 5 | "vulnerable": "18.x || 20.x || 22.x", 6 | "patched": "^18.20.4 || ^20.15.1 || ^22.4.1", 7 | "ref": "https://nodejs.org/en/blog/vulnerability/july-2024-security-releases/", 8 | "description": "Bypass incomplete fix of CVE-2024-27980", 9 | "overview": "The CVE-2024-27980 was identified as an incomplete fix for the BatBadBut vulnerability. This vulnerability arises from improper handling of batch files with all possible extensions on Windows via `child_process.spawn` / `child_process.spawnSync`. A malicious command line argument can inject arbitrary commands and achieve code execution even if the shell option is not enabled.\n\nThis vulnerability affects all users of `child_process.spawn` and `child_process.spawnSync` on Windows in all active release lines.", 10 | "affectedEnvironments": [ 11 | "win32" 12 | ], 13 | "severity": "high" 14 | } 15 | -------------------------------------------------------------------------------- /vuln/core/145.json: -------------------------------------------------------------------------------- 1 | { 2 | "cve": [ 3 | "CVE-2024-22020" 4 | ], 5 | "vulnerable": "18.x || 20.x || 22.x", 6 | "patched": "^18.20.4 || ^20.15.1 || ^22.4.1", 7 | "ref": "https://nodejs.org/en/blog/vulnerability/july-2024-security-releases/", 8 | "description": "Bypass network import restriction via data URL", 9 | "overview": "A security flaw in Node.js allows a bypass of network import restrictions.\nBy embedding non-network imports in data URLs, an attacker can execute arbitrary code, compromising system security.\n\nVerified on various platforms, the vulnerability is mitigated by forbidding data URLs in network imports.\n\nExploiting this flaw can violate network import security, posing a risk to developers and servers.", 10 | "affectedEnvironments": [ 11 | "all" 12 | ], 13 | "severity": "medium" 14 | } 15 | -------------------------------------------------------------------------------- /vuln/core/146.json: -------------------------------------------------------------------------------- 1 | { 2 | "cve": [ 3 | "CVE-2024-37372" 4 | ], 5 | "vulnerable": "20.x || 22.x", 6 | "patched": "^20.15.1 || ^22.4.1", 7 | "ref": "https://nodejs.org/en/blog/vulnerability/july-2024-security-releases/", 8 | "description": "Permission model improperly processes UNC paths", 9 | "overview": "The Permission Model assumes that any path starting with two backslashes \\\\ has a four-character prefix that can be ignored, which is not always true. This subtle bug leads to vulnerable edge cases.\n\nThis vulnerability affects Windows users of the Node.js Permission Model in version v20.x and v22.x", 10 | "affectedEnvironments": [ 11 | "all" 12 | ], 13 | "severity": "low" 14 | } 15 | -------------------------------------------------------------------------------- /vuln/core/147.json: -------------------------------------------------------------------------------- 1 | { 2 | "cve": [ 3 | "CVE-2025-23083" 4 | ], 5 | "vulnerable": "20.x || 22.x || 23.x", 6 | "patched": "^20.18.2 || ^22.13.1 || ^23.6.1", 7 | "ref": "https://nodejs.org/en/blog/vulnerability/january-2025-security-releases/", 8 | "description": "Worker permission bypass via InternalWorker leak in diagnostics", 9 | "overview": "With the aid of the diagnostics_channel utility, an event can be hooked into whenever a worker thread is created. This is not limited only to workers but also exposes internal workers, where an instance of them can be fetched, and its constructor can be grabbed and reinstated for malicious usage. \n\nThis vulnerability affects Permission Model users (--permission) on Node.js v20, v22, and v23.", 10 | "affectedEnvironments": [ 11 | "all" 12 | ], 13 | "severity": "high" 14 | } 15 | -------------------------------------------------------------------------------- /vuln/core/149.json: -------------------------------------------------------------------------------- 1 | { 2 | "cve": [ 3 | "CVE-2025-23085" 4 | ], 5 | "vulnerable": "18.x || 20.x || 22.x || 23.x", 6 | "patched": "^18.20.6 || ^20.18.2 || ^22.13.1 || ^23.6.1", 7 | "ref": "https://nodejs.org/en/blog/vulnerability/january-2025-security-releases/", 8 | "description": "GOAWAY HTTP/2 frames cause memory leak outside heap", 9 | "overview": "A memory leak could occur when a remote peer abruptly closes the socket without sending a GOAWAY notification. Additionally, if an invalid header was detected by nghttp2, causing the connection to be terminated by the peer, the same leak was triggered. This flaw could lead to increased memory consumption and potential denial of service under certain conditions.\n\nThis vulnerability affects HTTP/2 Server users on Node.js v18.x, v20.x, v22.x and v23.x.", 10 | "affectedEnvironments": [ 11 | "all" 12 | ], 13 | "severity": "medium" 14 | } 15 | -------------------------------------------------------------------------------- /vuln/core/15.json: -------------------------------------------------------------------------------- 1 | { 2 | "cve": [ 3 | "CVE-2016-2178" 4 | ], 5 | "ref": "https://github.com/nodejs/node/pull/8714", 6 | "vulnerable": "6.x || 5.x || 4.x", 7 | "patched": "^6.7.0 || ^4.6.0", 8 | "description": "openssl 1.0.2h vulnerabilities", 9 | "overview": "A flaw in the OpenSSL DSA implementation means that a non-constant time codepath\nis followed for certain operations. This has been demonstrated through a\ncache-timing attack to be sufficient for an attacker to recover the private DSA\nkey.\n\nThis is very low severity for Node.js users due to the difficulty in taking\nadvantage of this attack and because DSA is very rarely used.\n\n", 10 | "affectedEnvironments": [ 11 | "all" 12 | ], 13 | "severity": "unknown" 14 | } 15 | -------------------------------------------------------------------------------- /vuln/core/150.json: -------------------------------------------------------------------------------- 1 | { 2 | "cve": [ 3 | "CVE-2024-27980" 4 | ], 5 | "vulnerable": "18.x || 20.x || 21.x", 6 | "patched": "^18.20.2 || ^20.12.2 || ^21.7.3", 7 | "ref": "https://nodejs.org/en/blog/vulnerability/april-2024-security-releases-2", 8 | "description": "Command injection via args parameter of child_process.spawn without shell option enabled on Windows", 9 | "overview": "Due to the improper handling of batch files in child_process.spawn / child_process.spawnSync, a malicious command line argument can inject arbitrary commands and achieve code execution even if the shell option is not enabled.", 10 | "affectedEnvironments": [ 11 | "win32" 12 | ], 13 | "severity": "high" 14 | } 15 | -------------------------------------------------------------------------------- /vuln/core/151.json: -------------------------------------------------------------------------------- 1 | { 2 | "cve": [ 3 | "CVE-2025-23165" 4 | ], 5 | "vulnerable": "20.x || 22.x", 6 | "patched": "^20.19.2 || ^22.15.1", 7 | "ref": "https://nodejs.org/en/blog/vulnerability/may-2025-security-releases/", 8 | "description": "Corrupted pointer in node::fs::ReadFileUtf8(const FunctionCallbackInfo& args) when args[0] is a string.", 9 | "overview": "In Node.js, the `ReadFileUtf8` internal binding leaks memory due to a corrupted pointer in `uv_fs_s.file`: a UTF-16 path buffer is allocated but subsequently overwritten when the file descriptor is set. This results in an unrecoverable memory leak on every call. Repeated use can cause unbounded memory growth, leading to a denial of service.\n\nImpact:\n* This vulnerability affects APIs relying on `ReadFileUtf8` on Node.js release lines: v20 and v22.", 10 | "affectedEnvironments": [ 11 | "win32" 12 | ], 13 | "severity": "low" 14 | } 15 | -------------------------------------------------------------------------------- /vuln/core/152.json: -------------------------------------------------------------------------------- 1 | { 2 | "cve": [ 3 | "CVE-2025-23166" 4 | ], 5 | "vulnerable": "20.x || 22.x || 23.x || 24.x", 6 | "patched": "^20.19.2 || ^22.15.1 || ^23.11.1 || ^24.0.2", 7 | "ref": "https://nodejs.org/en/blog/vulnerability/may-2025-security-releases/", 8 | "description": "Improper error handling in async cryptographic operations crashes process", 9 | "overview": " The C++ method SignTraits::DeriveBits() may incorrectly call ThrowException() based on user-supplied inputs when executing in a background thread, crashing the Node.js process. Such cryptographic operations are commonly applied to untrusted inputs. Thus, this mechanism potentially allows an adversary to remotely crash a Node.js runtime.", 10 | "affectedEnvironments": [ 11 | "all" 12 | ], 13 | "severity": "high" 14 | } 15 | -------------------------------------------------------------------------------- /vuln/core/153.json: -------------------------------------------------------------------------------- 1 | { 2 | "cve": [ 3 | "CVE-2025-23167" 4 | ], 5 | "vulnerable": "20.x", 6 | "patched": "^20.19.2", 7 | "ref": "https://nodejs.org/en/blog/vulnerability/may-2025-security-releases/", 8 | "description": "Improper HTTP header block termination in llhttp", 9 | "overview": "A flaw in Node.js 20's HTTP parser allows improper termination of HTTP/1 headers using `\\r\\n\\rX` instead of the required `\\r\\n\\r\\n`.\nThis inconsistency enables request smuggling, allowing attackers to bypass proxy-based access controls and submit unauthorized requests.\n\nThe issue was resolved by upgrading `llhttp` to version 9, which enforces correct header termination.\n\nImpact:\n* This vulnerability affects only Node.js 20.x users prior to the `llhttp` v9 upgrade.\n", 10 | "affectedEnvironments": [ 11 | "all" 12 | ], 13 | "severity": "medium" 14 | } 15 | -------------------------------------------------------------------------------- /vuln/core/16.json: -------------------------------------------------------------------------------- 1 | { 2 | "cve": [ 3 | "CVE-2016-6306" 4 | ], 5 | "ref": "https://github.com/nodejs/node/pull/8714", 6 | "vulnerable": "6.x || 5.x || 4.x", 7 | "patched": "^6.7.0 || ^4.6.0", 8 | "description": "openssl 1.0.2h vulnerabilities", 9 | "overview": "Some missing message length checks can result in out of bounds (OOB) reads of up\nto 2 bytes beyond an allocated buffer. There is a theoretical denial of service\n(DoS) risk. This only impacts a client or a server which enables client\nauthentication.\n\nNode.js is impacted by this low severity flaw.\n\n", 10 | "affectedEnvironments": [ 11 | "all" 12 | ], 13 | "severity": "unknown" 14 | } 15 | -------------------------------------------------------------------------------- /vuln/core/17.json: -------------------------------------------------------------------------------- 1 | { 2 | "cve": [], 3 | "ref": "https://github.com/nodejs/node-private/pull/73", 4 | "vulnerable": "6.x", 5 | "patched": "^6.7.0", 6 | "author": "Ahmed Zaki", 7 | "overview": "Remove support for loading dynamic third-party engine modules. An attacker\nmay be able to hide malicious code to be inserted into Node.js at runtime by\nmasquerading as one of the dynamic engine modules. Originally reported by\n\n", 8 | "affectedEnvironments": [ 9 | "all" 10 | ], 11 | "severity": "unknown" 12 | } 13 | -------------------------------------------------------------------------------- /vuln/core/19.json: -------------------------------------------------------------------------------- 1 | { 2 | "cve": [ 3 | "CVE-2016-7099" 4 | ], 5 | "ref": "https://github.com/nodejs/node/commit/743f0c9164", 6 | "vulnerable": "6.x || 4.x || 5.x", 7 | "patched": "^6.7.0 || ^4.6.0", 8 | "author": "Alexander Minozhenko and James Bunton (Atlassian)", 9 | "description": "invalid wildcard certificate validation check", 10 | "overview": "Fix invalid wildcard certificate validation check whereby a TLS server may be\nable to serve an invalid wildcard certificate for its hostname due to improper\nvalidation of `*.` in the wildcard string. \n\nThis is a high severity defect that would allow a malicious TLS server to serve\nan invalid wildcard certificate for its hostname and be improperly validated by\na Node.js client. This is due to a flaw in the validation of *. in the wildcard\nname string.\n\n", 11 | "affectedEnvironments": [ 12 | "all" 13 | ], 14 | "severity": "unknown" 15 | } 16 | -------------------------------------------------------------------------------- /vuln/core/2.json: -------------------------------------------------------------------------------- 1 | { 2 | "cve": [], 3 | "vulnerable": "4.x || 5.x || 6.x || 7.x || 8.x", 4 | "patched": "^4.8.4 || ^6.11.1 || ^7.10.1 || ^8.1.4", 5 | "description": "DoS possible in V8 object lookup", 6 | "overview": "Disable V8 snapshots - The hashseed embedded in the snapshot is\ncurrently the same for all runs of the binary. This opens node up to\ncollision attacks which could result in a Denial of Service. We have\ntemporarily disabled snapshots until a more robust solution is found\nFixed: Ali Ijaz Sheikh\nReported: Fedor Indutny\nref: https://nodejs.org/en/blog/vulnerability/july-2017-security-releases/\n\n", 7 | "affectedEnvironments": [ 8 | "all" 9 | ], 10 | "severity": "unknown" 11 | } 12 | -------------------------------------------------------------------------------- /vuln/core/20.json: -------------------------------------------------------------------------------- 1 | { 2 | "cve": [], 3 | "ref": "https://github.com/nodejs/node-private/pull/73", 4 | "vulnerable": "6.x || 4.x", 5 | "patched": "^6.7.0 || ^4.6.0", 6 | "description": "**crypto**: don't build hardware engines (Ben Noordhuis)", 7 | "overview": "This is a low severity security defect. By default, OpenSSL will load a list of\nthird-party engine modules when the ENGINE_load_builtin_engines() function is\nused. These are normally not present on a user's system. An attacker may be able\nto make Node.js load malicious code by masquerading it as one of the dynamic\nengine modules.\n\nThis defect primarily impacts Windows due to the standard DLL search paths.\nHowever, UNIX users may also be at risk with a poorly configured LD_LIBRARY_PATH\nenvironment variable or /etc/ld.so.conf path list.\n\n", 8 | "affectedEnvironments": [ 9 | "all" 10 | ], 11 | "severity": "unknown" 12 | } 13 | -------------------------------------------------------------------------------- /vuln/core/21.json: -------------------------------------------------------------------------------- 1 | { 2 | "cve": [], 3 | "vulnerable": "6.x || 5.x || 4.x", 4 | "patched": "^6.2.1 || ^4.5.0", 5 | "description": "Ignore negative lengths in calls to `Buffer()` and `Buffer.allocUnsafe()`.", 6 | "ref": "https://github.com/nodejs/node/issues/7047#issuecomment-222393982", 7 | "overview": "This fixes a possible security concern (reported by Feross Aboukhadijeh) where\nuser input is passed unchecked to the Buffer constructor or `allocUnsafe()` as\nit can expose parts of the memory slab used by other Buffers in the application.\nNote that negative lengths are not supported by the Buffer API and user input to\nthe constructor should always be sanitised and type-checked.\n\n", 8 | "affectedEnvironments": [ 9 | "all" 10 | ], 11 | "severity": "unknown" 12 | } 13 | -------------------------------------------------------------------------------- /vuln/core/22.json: -------------------------------------------------------------------------------- 1 | { 2 | "cve": [ 3 | "CVE-2016-2107" 4 | ], 5 | "vulnerable": "4.x || 5.x || 6.x", 6 | "patched": "^4.4.4 || ^5.11.1 || ^6.1.0", 7 | "ref": "https://nodejs.org/en/blog/vulnerability/openssl-may-2016/#cve-2016-2107-padding-oracle-in-aes-ni-cbc-mac-check", 8 | "description": "Padding oracle in AES-NI CBC MAC check", 9 | "overview": "A man-in-the-middle (MITM) attacker may be able to execute a padding oracle\nattack to decrypt traffic when a connection uses an AES-CBC cipher and the\nserver runs on an Intel CPU supporting AES-NI. This is a common configuration\nfor TLS servers.\n\nThe OpenSSL project has labelled this vulnerability high severity.\n\n", 10 | "affectedEnvironments": [ 11 | "all" 12 | ], 13 | "severity": "unknown" 14 | } 15 | -------------------------------------------------------------------------------- /vuln/core/23.json: -------------------------------------------------------------------------------- 1 | { 2 | "cve": [ 3 | "CVE-2016-2105" 4 | ], 5 | "vulnerable": "4.x || 5.x || 6.x", 6 | "patched": "^4.4.4 || ^5.11.1 || ^6.1.0", 7 | "ref": "https://nodejs.org/en/blog/vulnerability/openssl-may-2016/#cve-2016-2107-padding-oracle-in-aes-ni-cbc-mac-check", 8 | "description": "EVP_EncodeUpdate overflow", 9 | "overview": "An overflow can occur in the OpenSSL EVP_EncodeUpdate() function which is used\nfor Base64 encoding of binary data. An attacker must be able to supply large\namounts of input data in order to cause an overflow.\n\nNode.js uses the EVP_EncodeUpdate() internally during calls to\ncrypto.Certificate#exportPublicKey() for SPKAC Certificate Signing\nRequests. User-supplied data must be passed to this method for\napplications to be vulnerable. This method has been available since\nNode.js v0.12.\n\n", 10 | "affectedEnvironments": [ 11 | "all" 12 | ], 13 | "severity": "unknown" 14 | } 15 | -------------------------------------------------------------------------------- /vuln/core/25.json: -------------------------------------------------------------------------------- 1 | { 2 | "cve": [], 3 | "vulnerable": "5.x || 4.x || 6.x", 4 | "patched": "^5.12.0 || ^4.5.0 || ^6.2.1", 5 | "ref": "https://github.com/nodejs/node/pull/7562", 6 | "description": "ignore negative allocation lengths", 7 | "affectedEnvironments": [ 8 | "all" 9 | ], 10 | "severity": "unknown" 11 | } 12 | -------------------------------------------------------------------------------- /vuln/core/27.json: -------------------------------------------------------------------------------- 1 | { 2 | "cve": [ 3 | "CVE-2016-2086" 4 | ], 5 | "vulnerable": "5.x || 4.x", 6 | "patched": "^5.6.0 || ^4.3.0", 7 | "overview": "Fix defects in HTTP header parsing for requests and responses that\ncan allow request smuggling (CVE-2016-2086).\n\nHTTP header parsing now aligns more closely with the HTTP spec\nincluding restricting the acceptable characters.\n\n", 8 | "affectedEnvironments": [ 9 | "all" 10 | ], 11 | "severity": "unknown" 12 | } 13 | -------------------------------------------------------------------------------- /vuln/core/28.json: -------------------------------------------------------------------------------- 1 | { 2 | "cve": [ 3 | "CVE-2016-2216" 4 | ], 5 | "vulnerable": "5.x || 4.x", 6 | "patched": "^5.6.0 || ^4.3.0", 7 | "overview": "Fix defects in HTTP header parsing for requests and responses that\ncan allow response splitting (CVE-2016-2216).\n\nHTTP header parsing now aligns more closely with the HTTP spec\nincluding restricting the acceptable characters.\n\nIntroduce new `--security-revert={cvenum}` command line flag for selective\nreversion of specific CVE fixes allow the fix for CVE-2016-2216 to be\nselectively reverted using `--security-revert=CVE-2016-2216`.\n\n", 8 | "affectedEnvironments": [ 9 | "all" 10 | ], 11 | "severity": "unknown" 12 | } 13 | -------------------------------------------------------------------------------- /vuln/core/29.json: -------------------------------------------------------------------------------- 1 | { 2 | "cve": [], 3 | "vulnerable": "4.x || 5.x", 4 | "patched": "^5.11.1 || ^4.4.4", 5 | "description": "buffer safeguard against accidental kNoZeroFill", 6 | "overview": "To reproduce: try { Buffer(1e10); } catch (e) {} new Uint8Array(100);.\n\nTo be affected, one would need to:\n\nHave any way how the user could make the API pass huge numbers to\nBuffer/SlowBuffer/Buffer.allocUnsafe, e.g. by sending invalid input\n\n", 7 | "affectedEnvironments": [ 8 | "all" 9 | ], 10 | "severity": "unknown" 11 | } 12 | -------------------------------------------------------------------------------- /vuln/core/3.json: -------------------------------------------------------------------------------- 1 | { 2 | "cve": [ 3 | "CVE-2017-3731" 4 | ], 5 | "description": "Truncated packet could crash via OOB read", 6 | "vulnerable": "4.x || 5.x || 6.x || 7.x", 7 | "patched": "^4.7.3 || ^6.9.5 || ^7.5.0", 8 | "ref": "https://nodejs.org/en/blog/vulnerability/openssl-january-2017/", 9 | "overview": "This is a moderate severity flaw in OpenSSL. By default, Node.js disables RC4 so\nmost users are not affected. As RC4 can be enabled programmatically, it is\npossible for a Node.js developer to craft code that may be vulnerable to this\nflaw. Any user activating RC4 in their codebase should prioritise this update.\n\nAll active versions of Node.js are affected, but the severity is very low for\nmost users.\n\n", 10 | "affectedEnvironments": [ 11 | "all" 12 | ], 13 | "severity": "unknown" 14 | } 15 | -------------------------------------------------------------------------------- /vuln/core/30.json: -------------------------------------------------------------------------------- 1 | { 2 | "cve": [], 3 | "vulnerable": "4.x || 5.x", 4 | "patched": "^4.3.2 || ^5.7.1", 5 | "ref": "https://github.com/nodejs/node/pull/5507", 6 | "overview": "Fix a double-free defect in parsing malformed DSA keys that may potentially be\nused for DoS or memory corruption attacks. It is likely to be very difficult to\nuse this defect for a practical attack and is therefore considered low severity\nfor Node.js users. More info is available at\ncve: CVE-2016-0705\n\n", 7 | "affectedEnvironments": [ 8 | "all" 9 | ], 10 | "severity": "unknown" 11 | } 12 | -------------------------------------------------------------------------------- /vuln/core/31.json: -------------------------------------------------------------------------------- 1 | { 2 | "cve": [ 3 | "CVE-2016-0797" 4 | ], 5 | "vulnerable": "4.x || 5.x", 6 | "patched": "^4.3.2 || ^5.7.1", 7 | "ref": "https://github.com/nodejs/node/pull/5507", 8 | "overview": "Fix a defect that can cause memory corruption in certain very rare cases\nrelating to the internal `BN_hex2bn()` and `BN_dec2bn()` functions. It is\nbelieved that Node.js is not invoking the code paths that use these functions so\npractical attacks via Node.js using this defect are _unlikely_ to be possible.\n\n", 9 | "affectedEnvironments": [ 10 | "all" 11 | ], 12 | "severity": "unknown" 13 | } 14 | -------------------------------------------------------------------------------- /vuln/core/32.json: -------------------------------------------------------------------------------- 1 | { 2 | "cve": [ 3 | "CVE-2016-0702" 4 | ], 5 | "vulnerable": "4.x || 5.x", 6 | "patched": "^4.3.2 || ^5.7.1", 7 | "ref": "https://ssrg.nicta.com.au/projects/TS/cachebleed", 8 | "overview": "Fix a defect that makes the _[CacheBleed\nAttack](https://ssrg.nicta.com.au/projects/TS/cachebleed/)_ possible. This\ndefect enables attackers to execute side-channel attacks leading to the\npotential recovery of entire RSA private keys. It only affects the Intel Sandy\nBridge (and possibly older) microarchitecture when using hyper-threading. Newer\nmicroarchitectures, including Haswell, are unaffected.\n\n", 9 | "affectedEnvironments": [ 10 | "all" 11 | ], 12 | "severity": "unknown" 13 | } 14 | -------------------------------------------------------------------------------- /vuln/core/33.json: -------------------------------------------------------------------------------- 1 | { 2 | "cve": [], 3 | "vulnerable": "4.x || 5.x", 4 | "patched": "^5.6.0 || ^4.3.0", 5 | "description": "mitigate against the Logjam attack", 6 | "overview": "To mitigate against the Logjam attack, TLS clients now reject Diffie-Hellman\nhandshakes with parameters shorter than 1024-bits, up from the previous limit of\n768-bits.\n\n", 7 | "affectedEnvironments": [ 8 | "all" 9 | ], 10 | "severity": "unknown" 11 | } 12 | -------------------------------------------------------------------------------- /vuln/core/34.json: -------------------------------------------------------------------------------- 1 | { 2 | "cve": [ 3 | "CVE-2015-8027" 4 | ], 5 | "vulnerable": "5.x || 4.x", 6 | "patched": "^5.1.1 || ^4.2.3", 7 | "overview": "A bug whereby an HTTP socket may no longer have a parser associated with it but\na pipelined request attempts to trigger a pause or resume on the non-existent\nparser, a potential denial-of-service vulnerability.\n\n", 8 | "affectedEnvironments": [ 9 | "all" 10 | ], 11 | "severity": "unknown" 12 | } 13 | -------------------------------------------------------------------------------- /vuln/core/35.json: -------------------------------------------------------------------------------- 1 | { 2 | "cve": [ 3 | "CVE-2015-6764" 4 | ], 5 | "vulnerable": "5.x || 4.x", 6 | "patched": "^5.1.1 || ^4.2.3", 7 | "overview": "Backport fix for CVE-2015-6764, a bug in v8's `JSON.stringify()` that can result\nin out-of-bounds reads for arrays.\n\n", 8 | "affectedEnvironments": [ 9 | "all" 10 | ], 11 | "severity": "unknown" 12 | } 13 | -------------------------------------------------------------------------------- /vuln/core/36.json: -------------------------------------------------------------------------------- 1 | { 2 | "cve": [ 3 | "CVE-2015-3193" 4 | ], 5 | "vulnerable": "5.x || 4.x", 6 | "patched": "^5.1.1 || ^4.2.3", 7 | "ref": "http://openssl.org/news/secadv/20151203.txt", 8 | "description": "BN_mod_exp may produce incorrect results on x86_64", 9 | "overview": "An attack may be possible against a Node.js TLS server using DHE key exchange.\nDetails are available at .\n\n", 10 | "affectedEnvironments": [ 11 | "all" 12 | ], 13 | "severity": "unknown" 14 | } 15 | -------------------------------------------------------------------------------- /vuln/core/37.json: -------------------------------------------------------------------------------- 1 | { 2 | "cve": [ 3 | "CVE-2015-3194" 4 | ], 5 | "vulnerable": "5.x || 4.x", 6 | "patched": "^5.1.1 || ^4.2.3", 7 | "ref": "https://github.com/nodejs/node/pull/4134", 8 | "description": "Certificate verify crash with missing PSS parameter", 9 | "overview": "A potential denial-of-service vector for Node.js TLS servers using client\ncertificate authentication; TLS clients are also impacted. Details are available\nat .\n\n", 10 | "affectedEnvironments": [ 11 | "all" 12 | ], 13 | "severity": "unknown" 14 | } 15 | -------------------------------------------------------------------------------- /vuln/core/38.json: -------------------------------------------------------------------------------- 1 | { 2 | "cve": [], 3 | "vulnerable": "4.x || 6.x", 4 | "patched": "^4.7.2 || ^6.9.4", 5 | "description": "no shasum exists to verify downloads", 6 | "overview": "While promoting additional platforms for v4.7.1 and v6.9.3 after the release,\nthe tarballs on the release server were overwritten and now have different\nshasums.\n\n", 7 | "affectedEnvironments": [ 8 | "all" 9 | ], 10 | "severity": "unknown" 11 | } 12 | -------------------------------------------------------------------------------- /vuln/core/39.json: -------------------------------------------------------------------------------- 1 | { 2 | "cve": [], 3 | "vulnerable": "4.x", 4 | "patched": "^4.1.1", 5 | "description": "data leakage via reuse of memory space in TypedArrays", 6 | "ref": "https://github.com/nodejs/node/pull/2931", 7 | "overview": "A bug was introduced in v4.1.0 where allocating a new zero-length buffer can\nresult in the _next_ allocation of a TypedArray in JavaScript not being\nzero-filled. In certain circumstances this could result in data leakage via\nreuse of memory space in TypedArrays, breaking the normally safe assumption that\nTypedArrays should be always zero-filled.\n\n", 8 | "affectedEnvironments": [ 9 | "all" 10 | ], 11 | "severity": "unknown" 12 | } 13 | -------------------------------------------------------------------------------- /vuln/core/4.json: -------------------------------------------------------------------------------- 1 | { 2 | "cve": [ 3 | "CVE-2017-3732" 4 | ], 5 | "vulnerable": "4.x || 5.x || 6.x || 7.x", 6 | "patched": "^4.7.3 || ^6.9.5 || ^7.5.0", 7 | "ref": "https://nodejs.org/en/blog/vulnerability/openssl-january-2017/", 8 | "description": "BN_mod_exp may produce incorrect results on x86_64", 9 | "overview": "As noted by the OpenSSL team, the likelihood of being able to craft a practical\nattack that uses this flaw is very low. In addition, Node.js enables\nSSL_OP_SINGLE_DH_USE, further decreasing the chance of a successful exploit of\nthis vulnerability in a Node.js service.\n\nAll active versions of Node.js are affected, but the severity is very low for\nNode.js users.\n\n", 10 | "affectedEnvironments": [ 11 | "all" 12 | ], 13 | "severity": "unknown" 14 | } 15 | -------------------------------------------------------------------------------- /vuln/core/40.json: -------------------------------------------------------------------------------- 1 | { 2 | "cve": [ 3 | "CVE-2015-7384" 4 | ], 5 | "vulnerable": "4.x", 6 | "patched": "^4.1.2", 7 | "cvss": "3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H", 8 | "cvss_score": 5.9, 9 | "ref": "https://github.com/nodejs/node/pull/3128", 10 | "description": "out-of-order 'finish' event bug in pipelining can abort execution", 11 | "affectedEnvironments": [ 12 | "all" 13 | ], 14 | "severity": "unknown" 15 | } 16 | -------------------------------------------------------------------------------- /vuln/core/41.json: -------------------------------------------------------------------------------- 1 | { 2 | "cve": [], 3 | "vulnerable": "4.x", 4 | "patched": "^4.1.1", 5 | "ref": "https://github.com/nodejs/node/pull/2945", 6 | "overview": "Guard against response-splitting of HTTP trailing headers added via\n[`response.addTrailers()`](https://nodejs.org/api/http.html#http_response_addtrailers_headers)\nby removing new-line (`[\\r\\n]`) characters from values. Note that standard\nheader values are already stripped of new-line characters. The expected security\nimpact is low because trailing headers are rarely used.\n\n", 7 | "affectedEnvironments": [ 8 | "all" 9 | ], 10 | "severity": "unknown" 11 | } 12 | -------------------------------------------------------------------------------- /vuln/core/42.json: -------------------------------------------------------------------------------- 1 | { 2 | "cve": [ 3 | "CVE-2017-14849" 4 | ], 5 | "vulnerable": "8.5.0", 6 | "patched": "^8.6.0", 7 | "ref": "https://nodejs.org/en/blog/vulnerability/september-2017-path-validation/", 8 | "overview": "Node.js version 8.5.0 included a change which caused a security vulnerability in the checks on paths made by some community modules. As a result, an attacker may be able to access file system paths other than those intended.", 9 | "affectedEnvironments": [ 10 | "all" 11 | ], 12 | "severity": "unknown" 13 | } 14 | -------------------------------------------------------------------------------- /vuln/core/43.json: -------------------------------------------------------------------------------- 1 | { 2 | "cve": [ 3 | "CVE-2017-14919" 4 | ], 5 | "vulnerable": "^4.8.2 || ^6.10.2 || 8.x", 6 | "patched": "^4.8.5 || ^6.11.5 || ^8.8.0", 7 | "ref": "https://nodejs.org/en/blog/vulnerability/oct-2017-dos/", 8 | "overview": "Node.js was susceptible to a remote DoS attack due to a change that came in as part of zlib v1.2.9. In zlib v1.2.9 8 became an invalid value for the windowBits parameter and Node's zlib module will crash or throw an exception (depending on the version) if you call zlib.createDeflateRaw({windowBits: 8}).", 9 | "affectedEnvironments": [ 10 | "all" 11 | ], 12 | "severity": "unknown" 13 | } 14 | -------------------------------------------------------------------------------- /vuln/core/44.json: -------------------------------------------------------------------------------- 1 | { 2 | "cve": [ 3 | "CVE-2017-15896" 4 | ], 5 | "vulnerable": "4.x || 6.x || 8.x || 9.x", 6 | "patched": "^4.8.7 || ^6.12.2 || ^8.9.3 || ^9.2.1", 7 | "ref": "https://nodejs.org/en/blog/vulnerability/december-2017-security-releases/", 8 | "overview": "Node.js was affected by OpenSSL vulnerability CVE-2017-3737 in regards to the use of SSL_read() due to TLS handshake failure. The result was that an active network attacker could send application data to Node.js using the TLS or HTTP2 modules in a way that bypassed TLS authentication and encryption.", 9 | "affectedEnvironments": [ 10 | "all" 11 | ], 12 | "severity": "unknown" 13 | } 14 | -------------------------------------------------------------------------------- /vuln/core/45.json: -------------------------------------------------------------------------------- 1 | { 2 | "cve": [ 3 | "CVE-2017-15897" 4 | ], 5 | "vulnerable": "8.x || 9.x", 6 | "patched": "^8.9.3 || ^9.2.1", 7 | "ref": "https://nodejs.org/en/blog/vulnerability/december-2017-security-releases/", 8 | "overview": "Node.js had a bug in versions 8.X and 9.X which caused buffers to not be initialized when the encoding for the fill value did not match the encoding specified. For example, 'Buffer.alloc(0x100, \"This is not correctly encoded\", \"hex\");' The buffer implementation was updated such that the buffer will be initialized to all zeros in these cases.", 9 | "affectedEnvironments": [ 10 | "all" 11 | ], 12 | "severity": "unknown" 13 | } 14 | -------------------------------------------------------------------------------- /vuln/core/49.json: -------------------------------------------------------------------------------- 1 | { 2 | "cve": [ 3 | "CVE-2018-7161" 4 | ], 5 | "vulnerable": "8.x || 9.x || 10.x", 6 | "patched": "^8.11.3 || ^9.11.2 || ^10.4.1", 7 | "ref": "https://nodejs.org/en/blog/vulnerability/june-2018-security-releases/", 8 | "overview": "All versions of 8.x and later are vulnerable and the severity is HIGH. An attacker can cause a denial of service (DoS) by causing a node server providing an http2 server to crash. This can be accomplished by interacting with the http2 server in a manner that triggers a cleanup bug where objects are used in native code after they are no longer available. This has been addressed by updating the http2 implementation. Thanks to Jordan Zebor at F5 Networks for reporting this issue.", 9 | "affectedEnvironments": [ 10 | "all" 11 | ], 12 | "severity": "unknown" 13 | } 14 | -------------------------------------------------------------------------------- /vuln/core/5.json: -------------------------------------------------------------------------------- 1 | { 2 | "cve": [ 3 | "CVE-2016-7055" 4 | ], 5 | "description": "Montgomery multiplication may produce incorrect results", 6 | "vulnerable": "4.x || 5.x || 6.x || 7.x", 7 | "patched": "^4.7.3 || ^6.9.5 || ^7.5.0", 8 | "ref": "https://nodejs.org/en/blog/vulnerability/openssl-january-2017/", 9 | "overview": "Some calculations, when run on an Intel Broadwell or later CPU, can produce in\nerroneous results. This flaw has been previously discussed by the Node.js team\non GitHub. It is not believed that practical attacks can be crafted to exploit\nthis vulnerability except in very specific circumstances. Therefore this is a\nlow severity flaw.\n\nAll active versions of Node.js are affected, but the severity is very low for\nNode.js users.\n\n", 10 | "affectedEnvironments": [ 11 | "all" 12 | ], 13 | "severity": "unknown" 14 | } 15 | -------------------------------------------------------------------------------- /vuln/core/50.json: -------------------------------------------------------------------------------- 1 | { 2 | "cve": [ 3 | "CVE-2018-7162" 4 | ], 5 | "vulnerable": "9.x || 10.x", 6 | "patched": "^9.11.2 || ^10.4.1", 7 | "ref": "https://nodejs.org/en/blog/vulnerability/june-2018-security-releases/", 8 | "overview": "All versions of 9.x and later are vulnerable and the severity is HIGH. An attacker can cause a denial of service (DoS) by causing a node process which provides an http server supporting TLS server to crash. This can be accomplished by sending duplicate/unexpected messages during the handshake. This vulnerability has been addressed by updating the TLS implementation. Thanks to Jordan Zebor at F5 Networks all of his help investigating this issue with the Node.js team.", 9 | "affectedEnvironments": [ 10 | "all" 11 | ], 12 | "severity": "unknown" 13 | } 14 | -------------------------------------------------------------------------------- /vuln/core/51.json: -------------------------------------------------------------------------------- 1 | { 2 | "cve": [ 3 | "CVE-2018-7164" 4 | ], 5 | "vulnerable": "9.7.x || 10.x", 6 | "patched": "^9.11.2 || ^10.4.1", 7 | "ref": "https://nodejs.org/en/blog/vulnerability/june-2018-security-releases/", 8 | "overview": "Versions 9.7.0 and later are vulnerable and the severity is MEDIUM. A bug introduced in 9.7.0 increases the memory consumed when reading from the network into JavaScript using the net.Socket object directly as a stream. An attacker could use this cause a denial of service by sending tiny chunks of data in short succession. This vulnerability was restored by reverting to the prior behaviour.", 9 | "affectedEnvironments": [ 10 | "all" 11 | ], 12 | "severity": "unknown" 13 | } 14 | -------------------------------------------------------------------------------- /vuln/core/52.json: -------------------------------------------------------------------------------- 1 | { 2 | "cve": [ 3 | "CVE-2018-7167" 4 | ], 5 | "vulnerable": "6.x || 8.x || 9.x", 6 | "patched": "^6.14.3 || ^8.11.3 || ^9.11.2", 7 | "ref": "https://nodejs.org/en/blog/vulnerability/june-2018-security-releases/", 8 | "overview": "Calling Buffer.fill() or Buffer.alloc() with some parameters can lead to a hang which could result in a Denial of Service.", 9 | "affectedEnvironments": [ 10 | "all" 11 | ], 12 | "severity": "unknown" 13 | } 14 | -------------------------------------------------------------------------------- /vuln/core/54.json: -------------------------------------------------------------------------------- 1 | { 2 | "cve": [ 3 | "CVE-2018-12115" 4 | ], 5 | "vulnerable": "<= 10", 6 | "patched": "^6.14.4 || ^8.11.4 || >= 10.9.0", 7 | "publish_date": "2018-08-16", 8 | "author": "Сковорода Никита Андреевич (Nikita Skovoroda / @ChALkeR)", 9 | "ref": "https://nodejs.org/en/blog/vulnerability/august-2018-security-releases/", 10 | "type": "CWE-787: Out-of-bounds Write", 11 | "overview": "When used with UCS-2 encoding (recognized by Node.js under the names `'ucs2'`, `'ucs-2'`, `'utf16le'` and `'utf-16le'`), `Buffer#write()` can be abused to write outside of the bounds of a single `Buffer`. Writes that start from the second-to-last position of a buffer cause a miscalculation of the maximum length of the input bytes to be written.", 12 | "affectedEnvironments": [ 13 | "all" 14 | ], 15 | "severity": "unknown" 16 | } 17 | -------------------------------------------------------------------------------- /vuln/core/55.json: -------------------------------------------------------------------------------- 1 | { 2 | "cve": [ 3 | "CVE-2018-12116" 4 | ], 5 | "vulnerable": "6.x || 8.x", 6 | "patched": "^6.15.0 || ^8.14.0", 7 | "publish_date": "2018-11-27", 8 | "author": "Matteo Collina", 9 | "reported_by": "Arkadiy Tetelman", 10 | "ref": "https://nodejs.org/en/blog/vulnerability/november-2018-security-releases/", 11 | "type": "CWE-115: Misinterpretation of Input", 12 | "overview": "HTTP request splitting: If Node.js can be convinced to use unsanitized user-provided Unicode data for the `path` option of an HTTP request, then data can be provided which will trigger a second, unexpected, and user-defined HTTP request to made to the same server.", 13 | "affectedEnvironments": [ 14 | "all" 15 | ], 16 | "severity": "unknown" 17 | } 18 | -------------------------------------------------------------------------------- /vuln/core/57.json: -------------------------------------------------------------------------------- 1 | { 2 | "cve": [ 3 | "CVE-2018-12121" 4 | ], 5 | "vulnerable": "6.x || 8.x || 10.x || 11.x", 6 | "patched": "^6.15.0 || ^8.14.0 || ^10.14.0 || ^11.3.0", 7 | "publish_date": "2018-11-27", 8 | "author": "Matteo Collina", 9 | "reported_by": "Trevor Norris", 10 | "ref": "https://nodejs.org/en/blog/vulnerability/november-2018-security-releases/", 11 | "type": "CWE-400: Uncontrolled Resource Consumption / Denial of Service", 12 | "overview": "Denial of Service with large HTTP headers: By using a combination of many requests with maximum sized headers (almost 80 KB per connection), and carefully timed completion of the headers, it is possible to cause the HTTP server to abort from heap allocation failure. Attack potential is mitigated by the use of a load balancer or other proxy layer.", 13 | "affectedEnvironments": [ 14 | "all" 15 | ], 16 | "severity": "unknown" 17 | } 18 | -------------------------------------------------------------------------------- /vuln/core/58.json: -------------------------------------------------------------------------------- 1 | { 2 | "cve": [ 3 | "CVE-2018-12122" 4 | ], 5 | "vulnerable": "6.x || 8.x || 10.x || 11.x", 6 | "patched": "^6.15.0 || ^8.14.0 || ^10.14.0 || ^11.3.0", 7 | "publish_date": "2018-11-27", 8 | "author": "Matteo Collina", 9 | "reported_by": "Jan Maybach", 10 | "ref": "https://nodejs.org/en/blog/vulnerability/november-2018-security-releases/", 11 | "type": "CWE-400: Uncontrolled Resource Consumption / Denial of Service", 12 | "overview": "Slowloris HTTP Denial of Service: An attacker can cause a Denial of Service (DoS) by sending headers very slowly keeping HTTP or HTTPS connections and associated resources alive for a long period of time.", 13 | "affectedEnvironments": [ 14 | "all" 15 | ], 16 | "severity": "unknown" 17 | } 18 | -------------------------------------------------------------------------------- /vuln/core/59.json: -------------------------------------------------------------------------------- 1 | { 2 | "cve": [ 3 | "CVE-2018-12123" 4 | ], 5 | "vulnerable": "6.x || 8.x || 10.x || 11.x", 6 | "patched": "^6.15.0 || ^8.14.0 || ^10.14.0 || ^11.3.0", 7 | "publish_date": "2018-11-27", 8 | "author": "Matteo Collina", 9 | "reported_by": "Martin Bajanik", 10 | "ref": "https://nodejs.org/en/blog/vulnerability/november-2018-security-releases/", 11 | "type": "CWE-115: Misinterpretation of Input", 12 | "overview": "Hostname spoofing in URL parser for javascript protocol: If a Node.js application is using url.parse() to determine the URL hostname, that hostname can be spoofed by using a mixed case \"javascript:\" (e.g. \"javAscript:\") protocol (other protocols are not affected). If security decisions are made about the URL based on the hostname, they may be incorrect.", 13 | "affectedEnvironments": [ 14 | "all" 15 | ], 16 | "severity": "unknown" 17 | } 18 | -------------------------------------------------------------------------------- /vuln/core/61.json: -------------------------------------------------------------------------------- 1 | { 2 | "cve": [ 3 | "CVE-2019-5739" 4 | ], 5 | "vulnerable": "6.x", 6 | "patched": "^6.17.0", 7 | "publish_date": "2019-02-28", 8 | "author": "Matteo Collina", 9 | "reported_by": "Timur Shemsedinov", 10 | "ref": "https://nodejs.org/en/blog/vulnerability/february-2019-security-releases/", 11 | "type": "CWE-400: Uncontrolled Resource Consumption / Denial of Service", 12 | "overview": "Keep-alive HTTP and HTTPS connections can remain open and inactive for up to 2 minutes in Node.js 6.16.0 and earlier. Node.js 8.0.0 introduced a dedicated server.keepAliveTimeout which defaults to 5 seconds. The behavior in Node.js 6.16.0 and earlier is a potential Denial of Service (DoS) attack vector. Node.js 6.17.0 introduces server.keepAliveTimeout and the 5-second default.", 13 | "affectedEnvironments": [ 14 | "all" 15 | ], 16 | "severity": "unknown" 17 | } 18 | -------------------------------------------------------------------------------- /vuln/core/63.json: -------------------------------------------------------------------------------- 1 | { 2 | "cve": [ 3 | "CVE-2019-15604" 4 | ], 5 | "vulnerable": "10.x || 12.x || 13.x", 6 | "patched": "^10.19.0 || ^12.15.0 || ^13.8.0", 7 | "reported_by": "Rogier Schouten", 8 | "ref": "https://hackerone.com/reports/746733", 9 | "overview": "Remotely trigger an assertion on a TLS server with a malformed certificate string", 10 | "affectedEnvironments": [ 11 | "all" 12 | ], 13 | "severity": "unknown" 14 | } 15 | -------------------------------------------------------------------------------- /vuln/core/64.json: -------------------------------------------------------------------------------- 1 | { 2 | "cve": [ 3 | "CVE-2019-15605" 4 | ], 5 | "vulnerable": "10.x || 12.x || 13.x", 6 | "patched": "^10.19.0 || ^12.15.0 || ^13.8.0", 7 | "reported_by": "Ethan Rubinson", 8 | "ref": "https://hackerone.com/reports/735748", 9 | "overview": "HTTP request smuggling using malformed Transfer-Encoding header", 10 | "affectedEnvironments": [ 11 | "all" 12 | ], 13 | "severity": "unknown" 14 | } 15 | -------------------------------------------------------------------------------- /vuln/core/65.json: -------------------------------------------------------------------------------- 1 | { 2 | "cve": [ 3 | "CVE-2019-15606" 4 | ], 5 | "vulnerable": "10.x || 12.x || 13.x", 6 | "patched": "^10.19.0 || ^12.15.0 || ^13.8.0", 7 | "reported_by": "Alyssa Wilk", 8 | "ref": "https://hackerone.com/reports/730779", 9 | "overview": "HTTP header values do not have trailing OWS trimmed", 10 | "affectedEnvironments": [ 11 | "all" 12 | ], 13 | "severity": "unknown" 14 | } 15 | -------------------------------------------------------------------------------- /vuln/core/66.json: -------------------------------------------------------------------------------- 1 | { 2 | "cve": [ 3 | "CVE-2020-8201" 4 | ], 5 | "vulnerable": "12.x || 14.x", 6 | "patched": "^12.18.4 || ^14.11.0", 7 | "reported_by": "Amit Klein", 8 | "ref": "https://nodejs.org/en/blog/vulnerability/september-2020-security-releases/", 9 | "overview": "HTTP Request Smuggling due to CR-to-Hyphen conversion", 10 | "affectedEnvironments": [ 11 | "all" 12 | ], 13 | "severity": "high" 14 | } 15 | -------------------------------------------------------------------------------- /vuln/core/67.json: -------------------------------------------------------------------------------- 1 | { 2 | "cve": [ 3 | "CVE-2020-8251" 4 | ], 5 | "vulnerable": "14.x", 6 | "patched": "^14.11.0", 7 | "reported_by": "Paolo Insogna and Matteo Collina", 8 | "ref": "https://nodejs.org/en/blog/vulnerability/september-2020-security-releases/", 9 | "overview": "Denial of Service by resource exhaustion CWE-400 due to unfinished HTTP/1.1 requests", 10 | "affectedEnvironments": [ 11 | "all" 12 | ], 13 | "severity": "critical" 14 | } 15 | -------------------------------------------------------------------------------- /vuln/core/68.json: -------------------------------------------------------------------------------- 1 | { 2 | "cve": [ 3 | "CVE-2020-8252" 4 | ], 5 | "vulnerable": "10.x || 12.x || 14.x", 6 | "patched": "^10.22.1 || ^12.18.4 || ^14.9.0", 7 | "reported_by": "Xiaoyi Shi", 8 | "ref": "https://nodejs.org/en/blog/vulnerability/september-2020-security-releases/", 9 | "overview": "fs.realpath.native on may cause buffer overflow", 10 | "affectedEnvironments": [ 11 | "all" 12 | ], 13 | "severity": "medium" 14 | } 15 | -------------------------------------------------------------------------------- /vuln/core/69.json: -------------------------------------------------------------------------------- 1 | { 2 | "cve": [ 3 | "CVE-2020-8277" 4 | ], 5 | "vulnerable": " 12.x || 14.x || 15.x", 6 | "patched": " ^12.19.1 || ^14.15.1 || 15.2.1", 7 | "ref": "https://nodejs.org/en/blog/vulnerability/november-2020-security-releases/", 8 | "overview": "Denial of Service through DNS request", 9 | "affectedEnvironments": [ 10 | "all" 11 | ], 12 | "severity": "unknown" 13 | } 14 | -------------------------------------------------------------------------------- /vuln/core/7.json: -------------------------------------------------------------------------------- 1 | { 2 | "cve": [ 3 | "CVE-2016-9840", 4 | "CVE-2016-9841", 5 | "CVE-2016-9842", 6 | "CVE-2016-9843" 7 | ], 8 | "ref": "https://github.com/madler/zlib/commit/d1d577490c15a0c6862473d7576352a9f18ef811", 9 | "description": "undefined language constructs that may have security impact", 10 | "vulnerable": "4.x || 5.x || 6.x || 7.x", 11 | "patched": "^4.8.2 || ^6.10.2 || ^7.6.0", 12 | "overview": "An upgrade to zlib 1.2.11 to fix a number of low severity CVEs\nthat were present in zlib 1.2.8.\n\n", 13 | "affectedEnvironments": [ 14 | "all" 15 | ], 16 | "severity": "unknown" 17 | } 18 | -------------------------------------------------------------------------------- /vuln/core/70.json: -------------------------------------------------------------------------------- 1 | { 2 | "cve": [ 3 | "CVE-2020-8265" 4 | ], 5 | "vulnerable": "10.x || 12.x || 14.x || 15.x", 6 | "patched": "^10.23.1 || ^12.20.1 || ^14.15.4 || ^15.5.1", 7 | "ref": "https://nodejs.org/en/blog/vulnerability/january-2021-security-releases/", 8 | "overview": "use-after-free in TLSWrap - affected Node.js versions are vulnerable to a use-after-free bug in its TLS implementation. When writing to a TLS enabled socket, node::StreamBase::Write calls node::TLSWrap::DoWrite with a freshly allocated WriteWrap object as first argument. If the DoWrite method does not return an error, this object is passed back to the caller as part of a StreamWriteResult structure. This may be exploited to corrupt memory leading to a Denial of Service or potentially other exploits.", 9 | "affectedEnvironments": [ 10 | "all" 11 | ], 12 | "severity": "high" 13 | } 14 | -------------------------------------------------------------------------------- /vuln/core/71.json: -------------------------------------------------------------------------------- 1 | { 2 | "cve": [ 3 | "CVE-2020-8287" 4 | ], 5 | "vulnerable": "10.x || 12.x || 14.x || 15.x", 6 | "patched": "^10.23.1 || ^12.20.1 || ^14.15.4 || ^15.5.1", 7 | "ref": "https://nodejs.org/en/blog/vulnerability/january-2021-security-releases/", 8 | "overview": "HTTP Request Smuggling in nodejs - Affected versions of Node.js allow two copies of a header field in a http request. For example, two Transfer-Encoding header fields. In this case Node.js identifies the first header field and ignores the second. This can lead to HTTP Request Smuggling (https://cwe.mitre.org/data/definitions/444.html)", 9 | "affectedEnvironments": [ 10 | "all" 11 | ], 12 | "severity": "low" 13 | } 14 | -------------------------------------------------------------------------------- /vuln/core/72.json: -------------------------------------------------------------------------------- 1 | { 2 | "cve": [ 3 | "CVE-2020-1971" 4 | ], 5 | "vulnerable": "10.x || 12.x || 14.x || 15.x", 6 | "patched": "^10.23.1 || ^12.20.1 || ^14.15.4 || ^15.5.0", 7 | "ref": "https://nodejs.org/en/blog/vulnerability/january-2021-security-releases/", 8 | "overview": "OpenSSL - EDIPARTYNAME NULL pointer de-reference - This is a vulnerability in OpenSSL which may be exploited through Node.js. You can read more about it in https://www.openssl.org/news/secadv/20201208.txt", 9 | "affectedEnvironments": [ 10 | "all" 11 | ], 12 | "severity": "unknown" 13 | } 14 | -------------------------------------------------------------------------------- /vuln/core/73.json: -------------------------------------------------------------------------------- 1 | { 2 | "cve": [ 3 | "CVE-2021-22883" 4 | ], 5 | "vulnerable": " 10.x || 12.x || 14.x || 15.x", 6 | "patched": " ^10.24.0 || ^12.21.0 || ^14.16.0 || ^15.10.0", 7 | "ref": "https://nodejs.org/en/blog/vulnerability/february-2021-security-releases/", 8 | "overview": "HTTP2 'unknownProtocol' cause Denial of Service by resource exhaustion - Affected Node.js versions are vulnerable to denial of service attacks when too many connection attempts with an 'unknownProtocol' are established. This leads to a leak of file descriptors. If a file descriptor limit is configured on the system, then the server is unable to accept new connections and prevent the process also from opening, e.g. a file. If no file descriptor limit is configured, then this lead to an excessive memory usage and cause the system to run out of memory.", 9 | "affectedEnvironments": [ 10 | "all" 11 | ], 12 | "severity": "critical" 13 | } 14 | -------------------------------------------------------------------------------- /vuln/core/75.json: -------------------------------------------------------------------------------- 1 | { 2 | "cve": [ 3 | "CVE-2021-23840" 4 | ], 5 | "vulnerable": " 10.x || 12.x || 14.x || 15.x", 6 | "patched": " ^10.24.0 || ^12.21.0 || ^14.16.0 || ^15.10.0", 7 | "ref": "https://nodejs.org/en/blog/vulnerability/february-2021-security-releases/", 8 | "overview": "OpenSSL - Integer overflow in CipherUpdate - This is a vulnerability in OpenSSL which may be exploited through Node.js. You can read more about it in https://www.openssl.org/news/secadv/20210216.txt", 9 | "affectedEnvironments": [ 10 | "all" 11 | ], 12 | "severity": "unknown" 13 | } 14 | -------------------------------------------------------------------------------- /vuln/core/76.json: -------------------------------------------------------------------------------- 1 | { 2 | "cve": [ 3 | "CVE-2021-3450" 4 | ], 5 | "vulnerable": " 10.x || 12.x || 14.x || 15.x", 6 | "patched": " ^10.24.1 || ^12.22.1 || ^14.16.1 || ^15.14.0", 7 | "ref": "https://nodejs.org/en/blog/vulnerability/april-2021-security-releases/", 8 | "overview": "This is a vulnerability in OpenSSL which may be exploited through Node.js. You can read more about it in https://www.openssl.org/news/secadv/20210325.txt", 9 | "affectedEnvironments": [ 10 | "all" 11 | ], 12 | "severity": "high" 13 | } 14 | -------------------------------------------------------------------------------- /vuln/core/77.json: -------------------------------------------------------------------------------- 1 | { 2 | "cve": [ 3 | "CVE-2021-3449" 4 | ], 5 | "vulnerable": " 10.x || 12.x || 14.x || 15.x", 6 | "patched": " ^10.24.1 || ^12.22.1 || ^14.16.1 || ^15.14.0", 7 | "ref": "https://nodejs.org/en/blog/vulnerability/april-2021-security-releases/", 8 | "overview": "This is a vulnerability in OpenSSL which may be exploited through Node.js. You can read more about it in https://www.openssl.org/news/secadv/20210325.txt", 9 | "affectedEnvironments": [ 10 | "all" 11 | ], 12 | "severity": "high" 13 | } 14 | -------------------------------------------------------------------------------- /vuln/core/78.json: -------------------------------------------------------------------------------- 1 | { 2 | "cve": [ 3 | "CVE-2020-7774" 4 | ], 5 | "vulnerable": " 10.x || 12.x || 14.x", 6 | "patched": " ^10.24.1 || ^12.22.1 || ^14.16.1", 7 | "ref": "https://nodejs.org/en/blog/vulnerability/april-2021-security-releases/", 8 | "overview": "This is a vulnerability in the y18n npm module which may be exploited by prototype pollution. You can read more about it in https://github.com/advisories/GHSA-c4w7-xm78-47vh", 9 | "affectedEnvironments": [ 10 | "all" 11 | ], 12 | "severity": "high" 13 | } 14 | -------------------------------------------------------------------------------- /vuln/core/79.json: -------------------------------------------------------------------------------- 1 | { 2 | "cve": [ 3 | "CVE-2021-22930" 4 | ], 5 | "vulnerable": " 12.x || 14.x || 16.x", 6 | "patched": " ^12.22.4 || ^14.17.4 || ^16.6.0", 7 | "ref": "https://nodejs.org/en/blog/vulnerability/july-2021-security-releases-2/", 8 | "overview": "Node.js before is vulnerable to a use after free attack where an attacker might be able to exploit the memory corruption, to change process behavior. You can read more about it in https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-22930", 9 | "affectedEnvironments": [ 10 | "all" 11 | ], 12 | "severity": "high" 13 | } 14 | -------------------------------------------------------------------------------- /vuln/core/8.json: -------------------------------------------------------------------------------- 1 | { 2 | "cve": [ 3 | "CVE-2016-5180" 4 | ], 5 | "vulnerable": "0.10.x || 0.12.x || 4.x", 6 | "patched": "^0.10.48 || ^0.12.17 || ^4.6.1", 7 | "description": "ares_create_query single byte out of buffer write", 8 | "ref": "https://c-ares.haxx.se/adv_20160929.html", 9 | "overview": "A security vulnerability has been discovered in the c-ares library that is\nbundled with all versions of Node.js. Due to the difficulty of triggering and\nmaking use of this vulnerability we currently consider this a low-severity\nsecurity flaw for Node.js users.\n\nMore information at https://c-ares.haxx.se/adv_20160929.html\n\n", 10 | "affectedEnvironments": [ 11 | "all" 12 | ], 13 | "severity": "unknown" 14 | } 15 | -------------------------------------------------------------------------------- /vuln/core/80.json: -------------------------------------------------------------------------------- 1 | { 2 | "cve": [ 3 | "CVE-2021-22921" 4 | ], 5 | "vulnerable": " 12.x || 14.x || 16.x", 6 | "patched": " ^12.22.2 || ^14.17.2 || ^16.4.1", 7 | "ref": "https://nodejs.org/en/blog/vulnerability/july-2021-security-releases/", 8 | "overview": "Node.js is vulnerable to local privilege escalation attacks under certain conditions on Windows platforms. More specifically, improper configuration of permissions in the installation directory allows an attacker to perform two different escalation attacks: PATH and DLL hijacking. You can read more about it in https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-22921", 9 | "affectedEnvironments": [ 10 | "win32" 11 | ], 12 | "severity": "medium" 13 | } 14 | -------------------------------------------------------------------------------- /vuln/core/81.json: -------------------------------------------------------------------------------- 1 | { 2 | "cve": [ 3 | "CVE-2021-27290" 4 | ], 5 | "vulnerable": " 12.x", 6 | "patched": " ^12.22.2", 7 | "ref": "https://nodejs.org/en/blog/vulnerability/july-2021-security-releases/", 8 | "overview": "This is a vulnerability in the ssri npm module which may be vulnerable to denial of service attacks. You can read more about it in https://github.com/advisories/GHSA-vx3p-948g-6vhq", 9 | "affectedEnvironments": [ 10 | "all" 11 | ], 12 | "severity": "high" 13 | } 14 | -------------------------------------------------------------------------------- /vuln/core/82.json: -------------------------------------------------------------------------------- 1 | { 2 | "cve": [ 3 | "CVE-2021-23362" 4 | ], 5 | "vulnerable": " 12.x", 6 | "patched": " ^12.22.2", 7 | "ref": "https://nodejs.org/en/blog/vulnerability/july-2021-security-releases/", 8 | "overview": "This is a vulnerability in the hosted-git-info npm module which may be vulnerable to denial of service attacks. You can read more about it in https://nvd.nist.gov/vuln/detail/CVE-2021-23362", 9 | "affectedEnvironments": [ 10 | "all" 11 | ], 12 | "severity": "medium" 13 | } 14 | -------------------------------------------------------------------------------- /vuln/core/83.json: -------------------------------------------------------------------------------- 1 | { 2 | "cve": [ 3 | "CVE-2021-22918" 4 | ], 5 | "vulnerable": " 12.x || 14.x || 16.x", 6 | "patched": " ^12.22.2 || ^14.17.2 || ^16.4.1", 7 | "ref": "https://nodejs.org/en/blog/vulnerability/july-2021-security-releases/", 8 | "overview": "Node.js is vulnerable to out-of-bounds read in libuv's uv__idna_toascii() function which is used to convert strings to ASCII. This is called by Node's dns module's lookup() function and can lead to information disclosures or crashes. You can read more about it in https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-22918", 9 | "affectedEnvironments": [ 10 | "all" 11 | ], 12 | "severity": "medium" 13 | } 14 | -------------------------------------------------------------------------------- /vuln/core/84.json: -------------------------------------------------------------------------------- 1 | { 2 | "cve": [ 3 | "CVE-2021-22931" 4 | ], 5 | "vulnerable": "12.x || 14.x || 16.x", 6 | "patched": "^12.22.5 || ^14.17.5 || ^16.6.2", 7 | "ref": "https://nodejs.org/en/blog/vulnerability/aug-2021-security-releases/", 8 | "overview": "Node.js was vulnerable to Remote Code Execution, XSS, application crashes due to missing input validation of host names returned by Domain Name Servers in the Node.js DNS library which can lead to output of wrong hostnames (leading to Domain Hijacking) and injection vulnerabilities in applications using the library. You can read more about it in: https://nvd.nist.gov/vuln/detail/CVE-2021-22931", 9 | "affectedEnvironments": [ 10 | "all" 11 | ], 12 | "severity": "high" 13 | } 14 | -------------------------------------------------------------------------------- /vuln/core/85.json: -------------------------------------------------------------------------------- 1 | { 2 | "cve": [ 3 | "CVE-2021-22940" 4 | ], 5 | "vulnerable": "12.x || 14.x || 16.x", 6 | "patched": "^12.22.5 || ^14.17.5 || ^16.6.2", 7 | "ref": "https://nodejs.org/en/blog/vulnerability/aug-2021-security-releases/", 8 | "overview": "Node.js was vulnerable to a use after free attack where an attacker might be able to exploit memory corruption to change process behavior. The issue is a follow on to CVE-2021-22930 as the issue was not completely resolved in the fix for CVE-2021-22930. You can read more about it in: https://nvd.nist.gov/vuln/detail/CVE-2021-22940", 9 | "affectedEnvironments": [ 10 | "all" 11 | ], 12 | "severity": "high" 13 | } 14 | -------------------------------------------------------------------------------- /vuln/core/86.json: -------------------------------------------------------------------------------- 1 | { 2 | "cve": [ 3 | "CVE-2021-22939" 4 | ], 5 | "vulnerable": "12.x || 14.x || 16.x", 6 | "patched": "^12.22.5 || ^14.17.5 || ^16.6.2", 7 | "ref": "https://nodejs.org/en/blog/vulnerability/aug-2021-security-releases/", 8 | "overview": "If the Node.js https API was used incorrectly and \"undefined\" was in passed for the \"rejectUnauthorized\" parameter, no error was returned and connections to servers with an expired certificate would have been accepted. You can read more about it in: https://nvd.nist.gov/vuln/detail/CVE-2021-22939", 9 | "affectedEnvironments": [ 10 | "all" 11 | ], 12 | "severity": "low" 13 | } 14 | -------------------------------------------------------------------------------- /vuln/core/88.json: -------------------------------------------------------------------------------- 1 | { 2 | "cve": [ 3 | "CVE-2021-22959", 4 | "CVE-2021-22960" 5 | ], 6 | "vulnerable": "12.x || 14.x || 16.x", 7 | "patched": " ^12.22.7 || ^14.18.1 || ^16.11.1", 8 | "ref": "https://nodejs.org/en/blog/vulnerability/oct-2021-security-releases/", 9 | "overview": "The http parser accepts requests with a space (SP) right after the header name before the colon. The http parser ignores chunk extensions when parsing the body of chunked requests. These can lead to HTTP Request Smuggling (HRS). See https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-22959 and https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-22960 for more details.", 10 | "affectedEnvironments": [ 11 | "all" 12 | ], 13 | "severity": "medium" 14 | } 15 | -------------------------------------------------------------------------------- /vuln/core/89.json: -------------------------------------------------------------------------------- 1 | { 2 | "cve": [ 3 | "CVE-2021-44531" 4 | ], 5 | "vulnerable": "12.x || 14.x || 16.x || 17.x", 6 | "patched": "^12.22.9 || ^14.18.3 || ^16.13.2 || ^17.3.1", 7 | "ref": "https://nodejs.org/en/blog/vulnerability/jan-2022-security-releases/", 8 | "overview": "Accepting arbitrary Subject Alternative Name (SAN) types, unless a PKI is specifically defined to use a particular SAN type, can result in bypassing name-constrained intermediates. Node.js was accepting URI SAN types, which PKIs are often not defined to use. Additionally, when a protocol allows URI SANs, Node.js did not match the URI correctly. See https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44531 for more details.", 9 | "affectedEnvironments": [ 10 | "all" 11 | ], 12 | "severity": "medium" 13 | } 14 | -------------------------------------------------------------------------------- /vuln/core/9.json: -------------------------------------------------------------------------------- 1 | { 2 | "cve": [], 3 | "vulnerable": "6.x", 4 | "patched": "^6.9.0", 5 | "ref": "https://nodejs.org/en/blog/vulnerability/october-2016-security-releases/", 6 | "description": "automatically loading OPENSSL_CONF is unsafe", 7 | "overview": "Always triggering a configuration file load attempt from `OPENSSL_CONF` or the\ndefault location for the current platform may allow an attacker to load\ncompromised OpenSSL configuration into a Node.js process if they are able to\nplace a file in a default location.\n\n", 8 | "affectedEnvironments": [ 9 | "all" 10 | ], 11 | "severity": "medium" 12 | } 13 | -------------------------------------------------------------------------------- /vuln/core/90.json: -------------------------------------------------------------------------------- 1 | { 2 | "cve": [ 3 | "CVE-2021-44532" 4 | ], 5 | "vulnerable": "12.x || 14.x || 16.x || 17.x", 6 | "patched": "^12.22.9 || ^14.18.3 || ^16.13.2 || ^17.3.1", 7 | "ref": "https://nodejs.org/en/blog/vulnerability/jan-2022-security-releases/", 8 | "overview": "Node.js converts SANs (Subject Alternative Names) to a string format. It uses this string to check peer certificates against hostnames when validating connections. The string format was subject to an injection vulnerability when name constraints were used within a certificate chain, allowing the bypass of these name constraints. See https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44532 for more details.", 9 | "affectedEnvironments": [ 10 | "all" 11 | ], 12 | "severity": "medium" 13 | } 14 | -------------------------------------------------------------------------------- /vuln/core/91.json: -------------------------------------------------------------------------------- 1 | { 2 | "cve": [ 3 | "CVE-2021-44533" 4 | ], 5 | "vulnerable": "12.x || 14.x || 16.x || 17.x", 6 | "patched": "^12.22.9 || ^14.18.3 || ^16.13.2 || ^17.3.1", 7 | "ref": "https://nodejs.org/en/blog/vulnerability/jan-2022-security-releases/", 8 | "overview": "Node.js did not handle multi-value Relative Distinguished Names correctly. Attackers could craft certificate subjects containing a single-value Relative Distinguished Name that would be interpreted as a multi-value Relative Distinguished Name, for example, in order to inject a Common Name that would allow bypassing the certificate subject verification. See https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44533 for more details.", 9 | "affectedEnvironments": [ 10 | "all" 11 | ], 12 | "severity": "medium" 13 | } 14 | -------------------------------------------------------------------------------- /vuln/core/92.json: -------------------------------------------------------------------------------- 1 | { 2 | "cve": [ 3 | "CVE-2022-21824" 4 | ], 5 | "vulnerable": "12.x || 14.x || 16.x || 17.x", 6 | "patched": "^12.22.9 || ^14.18.3 || ^16.13.2 || ^17.3.1", 7 | "ref": "https://nodejs.org/en/blog/vulnerability/jan-2022-security-releases/", 8 | "overview": "Due to the formatting logic of the console.table() function it was not safe to allow user controlled input to be passed to the properties parameter while simultaneously passing a plain object with at least one property as the first parameter, which could be __proto__. The prototype pollution has very limited control, in that it only allows an empty string to be assigned to numerical keys of the object prototype. See https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-21824 for more details.", 9 | "affectedEnvironments": [ 10 | "all" 11 | ], 12 | "severity": "low" 13 | } 14 | -------------------------------------------------------------------------------- /vuln/core/93.json: -------------------------------------------------------------------------------- 1 | { 2 | "cve": [ 3 | "CVE-2022-0778" 4 | ], 5 | "vulnerable": "12.x || 14.x || 16.x || 17.x", 6 | "patched": "^12.22.11 || ^14.19.1 || ^16.14.2 || ^17.7.2", 7 | "ref": "https://nodejs.org/en/blog/vulnerability/mar-2022-security-releases/", 8 | "overview": "This is a vulnerability in OpenSSL: Infinite loop in BN_mod_sqrt() reachable when parsing certificates. More details are available at https://www.openssl.org/news/secadv/20220315.txt.", 9 | "affectedEnvironments": [ 10 | "all" 11 | ], 12 | "severity": "high" 13 | } 14 | -------------------------------------------------------------------------------- /vuln/core/94.json: -------------------------------------------------------------------------------- 1 | { 2 | "cve": [ 3 | "CVE-2022-32215" 4 | ], 5 | "vulnerable": "14.x || 16.x || 18.x", 6 | "patched": "^14.20.1 || ^16.17.1 || ^18.9.1", 7 | "ref": "https://nodejs.org/en/blog/vulnerability/september-2022-security-releases/", 8 | "overview": "The llhttp parser in the http module in Node does not correctly handle multi-line Transfer-Encoding headers. This can lead to HTTP Request Smuggling (HRS).", 9 | "affectedEnvironments": [ 10 | "all" 11 | ], 12 | "severity": "medium" 13 | } 14 | -------------------------------------------------------------------------------- /vuln/core/95.json: -------------------------------------------------------------------------------- 1 | { 2 | "cve": [ 3 | "CVE-2022-32214" 4 | ], 5 | "vulnerable": "14.x || 16.x || 18.x", 6 | "patched": "^14.20.0 || ^16.20.0 || ^18.5.0", 7 | "ref": "https://nodejs.org/en/blog/vulnerability/july-2022-security-releases/", 8 | "overview": "The llhttp parser in the http module in Node.js does not strictly use the CRLF sequence to delimit HTTP requests. This can lead to HTTP Request Smuggling (HRS).", 9 | "affectedEnvironments": [ 10 | "all" 11 | ], 12 | "severity": "medium" 13 | } 14 | -------------------------------------------------------------------------------- /vuln/core/97.json: -------------------------------------------------------------------------------- 1 | { 2 | "cve": [ 3 | "CVE-2022-32213" 4 | ], 5 | "vulnerable": "14.x || 16.x || 18.x", 6 | "patched": "^14.20.1 || ^16.17.1 || ^18.9.1", 7 | "ref": "https://nodejs.org/en/blog/vulnerability/september-2022-security-releases/", 8 | "overview": "The llhttp parser in the http module in Node.js does not correctly parse and validate Transfer-Encoding headers. This can lead to HTTP Request Smuggling (HRS).", 9 | "affectedEnvironments": [ 10 | "all" 11 | ], 12 | "severity": "medium" 13 | } 14 | -------------------------------------------------------------------------------- /vuln/core/99.json: -------------------------------------------------------------------------------- 1 | { 2 | "cve": [ 3 | "CVE-2022-32222" 4 | ], 5 | "vulnerable": "14.x || 16.x || 18.x", 6 | "patched": "^14.20.0 || ^16.20.0 || ^18.9.1", 7 | "ref": "https://nodejs.org/en/blog/vulnerability/september-2022-security-releases/", 8 | "overview": "On linux, versions of 18.x prior to Y used a default path for openssl.cnf that was within a path that might be accessible under some circumstances to a non-admin user instead of /etc/ssl as was the case in versions prior to the upgrade to OpenSSL 3.", 9 | "affectedEnvironments": [ 10 | "linux" 11 | ], 12 | "severity": "medium" 13 | } 14 | -------------------------------------------------------------------------------- /vuln/index.js: -------------------------------------------------------------------------------- 1 | 'use strict'; 2 | 3 | const path = require('node:path'); 4 | 5 | module.exports = { 6 | paths: { 7 | npm: path.join(__dirname, 'npm'), 8 | core: path.join(__dirname, 'core') 9 | } 10 | }; 11 | -------------------------------------------------------------------------------- /vuln/npm/134.json: -------------------------------------------------------------------------------- 1 | { 2 | "id": 134, 3 | "created_at": "2016-07-27", 4 | "updated_at": "2017-02-10", 5 | "title": "Timing attack vulnerability", 6 | "author": { 7 | "name": "unknown", 8 | "website": null, 9 | "username": null 10 | }, 11 | "module_name": "cookie-signature", 12 | "publish_date": "2016-08-29", 13 | "cves": [ 14 | "CVE-2016-1000236" 15 | ], 16 | "vulnerable_versions": "<=1.0.5", 17 | "patched_versions": ">=1.0.6", 18 | "overview": "Cookie-signature is a library for signing cookies.\n\nVersions before 1.0.4 were vulnerable to timing attacks.", 19 | "recommendation": "Upgrade to 1.0.6 or latest", 20 | "references": [ 21 | "https://github.com/tj/node-cookie-signature/commit/39791081692e9e14aa62855369e1c7f80fbfd50e" 22 | ], 23 | "cvss_vector": "CVSS:3.0/AV:N/AC:H/PR:H/UI:R/S:C/C:H/I:N/A:N", 24 | "cvss_score": 5.4, 25 | "coordinating_vendor": "^Lift Security" 26 | } 27 | -------------------------------------------------------------------------------- /vuln/npm/135.json: -------------------------------------------------------------------------------- 1 | { 2 | "id": 135, 3 | "created_at": "2016-08-01", 4 | "updated_at": "2017-02-10", 5 | "title": "XSS - Sanitization not applied recursively", 6 | "author": { 7 | "name": "Björn Kimminich", 8 | "website": null, 9 | "username": null 10 | }, 11 | "module_name": "sanitize-html", 12 | "publish_date": "2016-08-01", 13 | "cves": [ 14 | "CVE-2016-1000237" 15 | ], 16 | "vulnerable_versions": "<=1.4.2", 17 | "patched_versions": ">=1.4.3", 18 | "overview": "Sanitization of HTML strings is not applied recursively to input, allowing an attacker to potentially inject script and other markup.", 19 | "recommendation": "Upgrade to 1.4.3 or later", 20 | "references": [ 21 | "https://github.com/punkave/sanitize-html/issues/29" 22 | ], 23 | "cvss_vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:L/A:N", 24 | "cvss_score": 4.7, 25 | "coordinating_vendor": "^Lift Security" 26 | } 27 | -------------------------------------------------------------------------------- /vuln/npm/137.json: -------------------------------------------------------------------------------- 1 | { 2 | "id": 137, 3 | "created_at": "2016-08-08", 4 | "updated_at": "2017-02-10", 5 | "title": "XSS in URL Query String Parameter", 6 | "author": { 7 | "name": "mehmetaydogdu", 8 | "website": null, 9 | "username": null 10 | }, 11 | "module_name": "swagger-ui", 12 | "publish_date": "2016-08-15", 13 | "cves": [ 14 | "CVE-2016-1000239" 15 | ], 16 | "vulnerable_versions": "2.1.0-M1 || 2.1.0-M2", 17 | "patched_versions": ">=2.1.0", 18 | "overview": "In versions 2.1.0-M1 and 2.1.0-M2, swagger-ui has a cross site scripting (XSS) vulnerability in the `url` query string parameter.", 19 | "recommendation": "Upgrade to 2.1.0 or later.", 20 | "references": [ 21 | "https://github.com/swagger-api/swagger-ui/issues/1262" 22 | ], 23 | "cvss_vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N", 24 | "cvss_score": 9.1, 25 | "coordinating_vendor": "^Lift Security" 26 | } 27 | -------------------------------------------------------------------------------- /vuln/npm/14.json: -------------------------------------------------------------------------------- 1 | { 2 | "id": 14, 3 | "created_at": "2015-10-17", 4 | "updated_at": "2016-04-28", 5 | "title": "Hidden Directories Always Served", 6 | "author": { 7 | "name": "Gil Pedersen", 8 | "website": null, 9 | "username": null 10 | }, 11 | "module_name": "inert", 12 | "publish_date": "2014-12-16", 13 | "cves": [], 14 | "vulnerable_versions": "<1.1.1", 15 | "patched_versions": ">=1.1.1", 16 | "overview": "The inert directory handler always allows files in hidden directories to be served, even when `showHidden` is false.", 17 | "recommendation": "Update to version >= 1.1.1.", 18 | "references": [ 19 | "https://github.com/hapijs/inert/pull/15", 20 | "https://github.com/hapijs/inert/commit/e8f99f94da4cb08e8032eda984761c3f111e3e82" 21 | ], 22 | "cvss_vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", 23 | "cvss_score": 5.3, 24 | "coordinating_vendor": "^Lift Security" 25 | } 26 | -------------------------------------------------------------------------------- /vuln/npm/140.json: -------------------------------------------------------------------------------- 1 | { 2 | "id": 140, 3 | "created_at": "2016-08-15", 4 | "updated_at": "2017-02-10", 5 | "title": "Denial of Service", 6 | "author": { 7 | "name": "Matteo Collina", 8 | "website": null, 9 | "username": null 10 | }, 11 | "module_name": "mqtt", 12 | "publish_date": "2016-08-26", 13 | "cves": [ 14 | "CVE-2016-1000242" 15 | ], 16 | "vulnerable_versions": "<=0.3.13", 17 | "patched_versions": ">=1.0.0", 18 | "overview": "Specifically crafted MQTT packets can crash the application, making a DoS attack feasible with very little bandwidth.", 19 | "recommendation": "Upgrade to v1.0.0 or later", 20 | "references": [ 21 | "https://github.com/mqttjs/MQTT.js/blob/388a084d7803934b18b43c1146c817deaa1396b1/lib/parse.js#L230" 22 | ], 23 | "cvss_vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", 24 | "cvss_score": 7.5, 25 | "coordinating_vendor": "^Lift Security" 26 | } 27 | -------------------------------------------------------------------------------- /vuln/npm/150.json: -------------------------------------------------------------------------------- 1 | { 2 | "id": 150, 3 | "created_at": "2016-10-17", 4 | "updated_at": "2016-12-07", 5 | "title": "Directory Traversal", 6 | "author": { 7 | "name": "Liang Gong", 8 | "website": null, 9 | "username": null 10 | }, 11 | "module_name": "bitty", 12 | "publish_date": "2016-12-07", 13 | "cves": [], 14 | "vulnerable_versions": "<=99.999.99999", 15 | "patched_versions": "<0.0.0", 16 | "overview": "Bitty is a development web server tool that functions similar to `python -m SimpleHTTPServer`. \nVersion 0.2.10 has a directory traversal vulnerability that is exploitable via the URL path in GET requests.", 17 | "recommendation": null, 18 | "references": null, 19 | "cvss_vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", 20 | "cvss_score": 5.3, 21 | "coordinating_vendor": "^Lift Security" 22 | } 23 | -------------------------------------------------------------------------------- /vuln/npm/161.json: -------------------------------------------------------------------------------- 1 | { 2 | "id": 161, 3 | "created_at": "2016-11-30", 4 | "updated_at": "2016-12-18", 5 | "title": "Downloads Resources over HTTP", 6 | "author": { 7 | "name": "Adam Baldwin", 8 | "website": null, 9 | "username": null 10 | }, 11 | "module_name": "unicode", 12 | "publish_date": "2016-12-18", 13 | "cves": [], 14 | "vulnerable_versions": "<=99.999.99999", 15 | "patched_versions": "<0.0.0", 16 | "overview": "unicode loads unicode data downloaded from unicode.org into nodejs.\n\nUnicode downloads binary resources over HTTP, which leaves it vulnerable to MITM attacks.", 17 | "recommendation": "No fix is currently available for this vulnerability.\n\nIt is our recommendation to not install or use this module at this time.", 18 | "references": null, 19 | "cvss_vector": "CVSS:3.0/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H", 20 | "cvss_score": 7.1, 21 | "coordinating_vendor": "^Lift Security" 22 | } 23 | -------------------------------------------------------------------------------- /vuln/npm/183.json: -------------------------------------------------------------------------------- 1 | { 2 | "id": 183, 3 | "created_at": "2016-11-30", 4 | "updated_at": "2016-12-16", 5 | "title": "Downloads Resources over HTTP", 6 | "author": { 7 | "name": "Adam Baldwin", 8 | "website": null, 9 | "username": null 10 | }, 11 | "module_name": "geoip-lite-country", 12 | "publish_date": "2016-12-16", 13 | "cves": [], 14 | "vulnerable_versions": "<1.1.4", 15 | "patched_versions": ">=1.1.4", 16 | "overview": "geoip-lite-country is a stripped down version of geoip-lite, supporting only country lookup.\n\ngeoip-lite-country downloads data resources over HTTP, which leaves it vulnerable to MITM attacks.", 17 | "recommendation": "Update to version 1.1.4 or greater.", 18 | "references": null, 19 | "cvss_vector": "CVSS:3.0/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H", 20 | "cvss_score": 7.1, 21 | "coordinating_vendor": "^Lift Security" 22 | } 23 | -------------------------------------------------------------------------------- /vuln/npm/197.json: -------------------------------------------------------------------------------- 1 | { 2 | "id": 197, 3 | "created_at": "2016-12-01", 4 | "updated_at": "2017-01-01", 5 | "title": "Downloads Resources over HTTP", 6 | "author": { 7 | "name": "Adam Baldwin", 8 | "website": null, 9 | "username": null 10 | }, 11 | "module_name": "cobalt-cli", 12 | "publish_date": "2017-01-01", 13 | "cves": [], 14 | "vulnerable_versions": "<=99.999.99999", 15 | "patched_versions": "<0.0.0", 16 | "overview": "cobalt-cli downloads resources over HTTP, which leaves it vulnerable to MITM attacks.", 17 | "recommendation": "No fix is currently available for this vulnerability.\n\nIt is our recommendation to not install or use this module at this time.", 18 | "references": null, 19 | "cvss_vector": "CVSS:3.0/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H", 20 | "cvss_score": 7.1, 21 | "coordinating_vendor": "^Lift Security" 22 | } 23 | -------------------------------------------------------------------------------- /vuln/npm/206.json: -------------------------------------------------------------------------------- 1 | { 2 | "id": 206, 3 | "created_at": "2016-12-01", 4 | "updated_at": "2017-01-01", 5 | "title": "Downloads Resources over HTTP", 6 | "author": { 7 | "name": "Adam Baldwin", 8 | "website": null, 9 | "username": null 10 | }, 11 | "module_name": "unicode-json", 12 | "publish_date": "2017-01-01", 13 | "cves": [], 14 | "vulnerable_versions": "<=99.999.99999", 15 | "patched_versions": "<0.0.0", 16 | "overview": "unicode-json is a unicode lookup table.\n\nunicode-json downloads data resources over HTTP, which leaves it vulnerable to MITM attacks.", 17 | "recommendation": "No fix is currently available for this vulnerability.\n\nIt is our recommendation to not install or use this module at this time.", 18 | "references": null, 19 | "cvss_vector": "CVSS:3.0/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H", 20 | "cvss_score": 7.1, 21 | "coordinating_vendor": "^Lift Security" 22 | } 23 | -------------------------------------------------------------------------------- /vuln/npm/211.json: -------------------------------------------------------------------------------- 1 | { 2 | "id": 211, 3 | "created_at": "2016-12-01", 4 | "updated_at": "2017-01-01", 5 | "title": "Downloads Resources over HTTP", 6 | "author": { 7 | "name": "Adam Baldwin", 8 | "website": null, 9 | "username": null 10 | }, 11 | "module_name": "bionode-sra", 12 | "publish_date": "2017-01-01", 13 | "cves": [], 14 | "vulnerable_versions": "<=99.999.99999", 15 | "patched_versions": "<0.0.0", 16 | "overview": "bionode-sra is a Node.js wrapper for SRA Toolkit.\n\nbionode-sra downloads data resources over HTTP, which leaves it vulnerable to MITM attacks.", 17 | "recommendation": "No fix is currently available for this vulnerability.\n\nIt is our recommendation to not install or use this module at this time.", 18 | "references": null, 19 | "cvss_vector": "CVSS:3.0/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H", 20 | "cvss_score": 7.1, 21 | "coordinating_vendor": "^Lift Security" 22 | } 23 | -------------------------------------------------------------------------------- /vuln/npm/213.json: -------------------------------------------------------------------------------- 1 | { 2 | "id": 213, 3 | "created_at": "2016-12-01", 4 | "updated_at": "2017-01-01", 5 | "title": "Downloads Resources over HTTP", 6 | "author": { 7 | "name": "Adam Baldwin", 8 | "website": null, 9 | "username": null 10 | }, 11 | "module_name": "pennyworth", 12 | "publish_date": "2017-01-01", 13 | "cves": [], 14 | "vulnerable_versions": "<=99.999.99999", 15 | "patched_versions": "<0.0.0", 16 | "overview": "pennyworth is a natural language templating engine.\n\npennyworth downloads data resources over HTTP, which leaves it vulnerable to MITM attacks.", 17 | "recommendation": "No fix is currently available for this vulnerability.\n\nIt is our recommendation to not install or use this module at this time.", 18 | "references": null, 19 | "cvss_vector": "CVSS:3.0/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H", 20 | "cvss_score": 7.1, 21 | "coordinating_vendor": "^Lift Security" 22 | } 23 | -------------------------------------------------------------------------------- /vuln/npm/214.json: -------------------------------------------------------------------------------- 1 | { 2 | "id": 214, 3 | "created_at": "2016-12-01", 4 | "updated_at": "2017-01-01", 5 | "title": "Downloads Resources over HTTP", 6 | "author": { 7 | "name": "Adam Baldwin", 8 | "website": null, 9 | "username": null 10 | }, 11 | "module_name": "node-browser", 12 | "publish_date": "2017-01-01", 13 | "cves": [], 14 | "vulnerable_versions": "<=99.999.99999", 15 | "patched_versions": "<0.0.0", 16 | "overview": "node-browser is a wrapper webdriver by nodejs.\n\nnode-browser downloads resources over HTTP, which leaves it vulnerable to MITM attacks.", 17 | "recommendation": "No fix is currently available for this vulnerability.\n\nIt is our recommendation to not install or use this module at this time.", 18 | "references": null, 19 | "cvss_vector": "CVSS:3.0/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H", 20 | "cvss_score": 7.1, 21 | "coordinating_vendor": "^Lift Security" 22 | } 23 | -------------------------------------------------------------------------------- /vuln/npm/228.json: -------------------------------------------------------------------------------- 1 | { 2 | "id": 228, 3 | "created_at": "2016-12-01", 4 | "updated_at": "2017-01-01", 5 | "title": "Downloads Resources over HTTP", 6 | "author": { 7 | "name": "Adam Baldwin", 8 | "website": null, 9 | "username": null 10 | }, 11 | "module_name": "install-g-test", 12 | "publish_date": "2017-01-01", 13 | "cves": [], 14 | "vulnerable_versions": "<=99.999.99999", 15 | "patched_versions": "<0.0.0", 16 | "overview": "install-g-test downloads resources over HTTP, which leaves it vulnerable to MITM attacks.", 17 | "recommendation": "No fix is currently available for this vulnerability.\n\nIt is our recommendation to not install or use this module at this time.", 18 | "references": null, 19 | "cvss_vector": "CVSS:3.0/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H", 20 | "cvss_score": 7.1, 21 | "coordinating_vendor": "^Lift Security" 22 | } 23 | -------------------------------------------------------------------------------- /vuln/npm/234.json: -------------------------------------------------------------------------------- 1 | { 2 | "id": 234, 3 | "created_at": "2016-12-01", 4 | "updated_at": "2017-01-01", 5 | "title": "Downloads Resources over HTTP", 6 | "author": { 7 | "name": "Adam Baldwin", 8 | "website": null, 9 | "username": null 10 | }, 11 | "module_name": "node-bsdiff-android", 12 | "publish_date": "2017-01-01", 13 | "cves": [], 14 | "vulnerable_versions": "<=99.999.99999", 15 | "patched_versions": "<0.0.0", 16 | "overview": "node-bsdiff-android downloads resources over HTTP, which leaves it vulnerable to MITM attacks.", 17 | "recommendation": "No fix is currently available for this vulnerability.\n\nIt is our recommendation to not install or use this module at this time.", 18 | "references": null, 19 | "cvss_vector": "CVSS:3.0/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H", 20 | "cvss_score": 7.1, 21 | "coordinating_vendor": "^Lift Security" 22 | } 23 | -------------------------------------------------------------------------------- /vuln/npm/256.json: -------------------------------------------------------------------------------- 1 | { 2 | "id": 256, 3 | "created_at": "2016-12-01", 4 | "updated_at": "2017-01-01", 5 | "title": "Downloads Resources over HTTP", 6 | "author": { 7 | "name": "Adam Baldwin", 8 | "website": null, 9 | "username": null 10 | }, 11 | "module_name": "sfml", 12 | "publish_date": "2017-01-01", 13 | "cves": [], 14 | "vulnerable_versions": "<=99.999.99999", 15 | "patched_versions": "<0.0.0", 16 | "overview": "sfml downloads resources over HTTP, which leaves it vulnerable to MITM attacks.", 17 | "recommendation": "No fix is currently available for this vulnerability.\n\nIt is our recommendation to not install or use this module at this time.", 18 | "references": null, 19 | "cvss_vector": "CVSS:3.0/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H", 20 | "cvss_score": 7.1, 21 | "coordinating_vendor": "^Lift Security" 22 | } 23 | -------------------------------------------------------------------------------- /vuln/npm/315.json: -------------------------------------------------------------------------------- 1 | { 2 | "id": 315, 3 | "created_at": "2017-03-06", 4 | "updated_at": "2017-04-14", 5 | "title": "Unsafe eval()", 6 | "author": { 7 | "name": "Cristian-Alexandru Staicu", 8 | "website": null, 9 | "username": null 10 | }, 11 | "module_name": "summit", 12 | "publish_date": "2017-04-14", 13 | "cves": [], 14 | "vulnerable_versions": ">=0.1.0", 15 | "patched_versions": "<0.0.0", 16 | "overview": "Summit is a node web framework. \n\nWhen using the PouchDB driver in the module, an attacker can execute arbitrary commands via the collection name.", 17 | "recommendation": "The PouchDB driver is not recommended for use in production.", 18 | "references": [ 19 | "https://github.com/notduncansmith/summit/issues/23)" 20 | ], 21 | "cvss_vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N", 22 | "cvss_score": 6.5, 23 | "coordinating_vendor": "^Lift Security" 24 | } 25 | -------------------------------------------------------------------------------- /vuln/npm/323.json: -------------------------------------------------------------------------------- 1 | { 2 | "id": 323, 3 | "created_at": "2017-03-10", 4 | "updated_at": "2017-04-11", 5 | "title": "Insufficient Error Handling", 6 | "author": { 7 | "name": "TJ Holowaychuk", 8 | "website": null, 9 | "username": null 10 | }, 11 | "module_name": "http-proxy", 12 | "publish_date": "2017-04-11", 13 | "cves": [], 14 | "vulnerable_versions": "<=0.6.6", 15 | "patched_versions": ">=0.7.0", 16 | "overview": "Http-proxy is a proxying library.\n\nBecause of the way errors are handled in versions before 0.7.0, an attacker that forces an error can crash the server, causing a denial of service.", 17 | "recommendation": "Upgrade to v0.7.0 or later.", 18 | "references": [ 19 | "https://github.com/nodejitsu/node-http-proxy/pull/101)" 20 | ], 21 | "cvss_vector": "CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", 22 | "cvss_score": 6.5, 23 | "coordinating_vendor": "^Lift Security" 24 | } 25 | -------------------------------------------------------------------------------- /vuln/npm/358.json: -------------------------------------------------------------------------------- 1 | { 2 | "id": 358, 3 | "created_at": "2018-01-10", 4 | "updated_at": "2018-01-10", 5 | "title": "Directory Traversal", 6 | "author": { 7 | "name": "Yasin Soliman", 8 | "website": null, 9 | "username": "ysx" 10 | }, 11 | "module_name": "featurebook", 12 | "publish_date": "2018-01-10", 13 | "cves": [], 14 | "vulnerable_versions": "<=0.0.32", 15 | "patched_versions": null, 16 | "overview": "A crafted request can be used to traverse the directory structure of a host using the featurebook package, and request arbitrary files outside of the specified web root.", 17 | "recommendation": "featurebook serve is not meant to be run as a server app in production.", 18 | "references": [ 19 | "https://hackerone.com/reports/296305" 20 | ], 21 | "cvss_vector": null, 22 | "cvss_score": -1, 23 | "coordinating_vendor": null 24 | } 25 | -------------------------------------------------------------------------------- /vuln/npm/359.json: -------------------------------------------------------------------------------- 1 | { 2 | "id": 359, 3 | "created_at": "2018-01-10", 4 | "updated_at": "2018-01-10", 5 | "title": "Directory Traversal", 6 | "author": { 7 | "name": "Yasin Soliman", 8 | "website": null, 9 | "username": "ysx" 10 | }, 11 | "module_name": "serve-here", 12 | "publish_date": "2018-01-10", 13 | "cves": [], 14 | "vulnerable_versions": "<=3.2.0", 15 | "patched_versions": null, 16 | "overview": "A crafted request can be used to traverse the directory structure of a host using the serve-here package, and request arbitrary files outside of the specified web root.", 17 | "recommendation": "Use the new version of the package @vivaxy/here with version >=3.2.2", 18 | "references": [ 19 | "https://hackerone.com/reports/296254" 20 | ], 21 | "cvss_vector": null, 22 | "cvss_score": -1, 23 | "coordinating_vendor": null 24 | } 25 | -------------------------------------------------------------------------------- /vuln/npm/360.json: -------------------------------------------------------------------------------- 1 | { 2 | "id": 360, 3 | "created_at": "2018-01-23", 4 | "updated_at": "2018-01-23", 5 | "title": "Directory Traversal", 6 | "author": { 7 | "name": "Yasin Soliman", 8 | "website": null, 9 | "username": "ysx" 10 | }, 11 | "module_name": "augustine", 12 | "publish_date": "2018-01-23", 13 | "cves": [], 14 | "vulnerable_versions": "<=0.2.3", 15 | "patched_versions": null, 16 | "overview": "A crafted GET request can be leveraged to traverse the directory structure of a host using the augustine web server package, and request arbitrary files outside of the specified web root.", 17 | "recommendation": null, 18 | "references": [ 19 | "https://hackerone.com/reports/296282" 20 | ], 21 | "cvss_vector": null, 22 | "cvss_score": -1, 23 | "coordinating_vendor": null 24 | } 25 | -------------------------------------------------------------------------------- /vuln/npm/361.json: -------------------------------------------------------------------------------- 1 | { 2 | "id": 361, 3 | "created_at": "2018-01-23", 4 | "updated_at": "2018-01-23", 5 | "title": "Directory Traversal", 6 | "author": { 7 | "name": "Yasin Soliman", 8 | "website": null, 9 | "username": "ysx" 10 | }, 11 | "module_name": "lactate", 12 | "publish_date": "2018-01-23", 13 | "cves": [], 14 | "vulnerable_versions": "<=0.13.12", 15 | "patched_versions": null, 16 | "overview": "A crafted GET request can be leveraged to traverse the directory structure of a host using the lactate web server package, and request arbitrary files outside of the specified web root.", 17 | "recommendation": null, 18 | "references": [ 19 | "https://hackerone.com/reports/296645" 20 | ], 21 | "cvss_vector": null, 22 | "cvss_score": -1, 23 | "coordinating_vendor": null 24 | } 25 | -------------------------------------------------------------------------------- /vuln/npm/362.json: -------------------------------------------------------------------------------- 1 | { 2 | "id": 362, 3 | "created_at": "2018-01-23", 4 | "updated_at": "2018-01-23", 5 | "title": "Reflected Cross-Site Scripting", 6 | "author": { 7 | "name": "Yasin Soliman", 8 | "website": null, 9 | "username": "ysx" 10 | }, 11 | "module_name": "redis-commander", 12 | "publish_date": "2018-01-23", 13 | "cves": [], 14 | "vulnerable_versions": "<=0.13.12", 15 | "patched_versions": null, 16 | "overview": "An injection in the highlighterId parameter of the clipboard.swf component can be leveraged in a reflected XSS on hosts serving Redis Commander.", 17 | "recommendation": null, 18 | "references": [ 19 | "https://hackerone.com/reports/296377" 20 | ], 21 | "cvss_vector": null, 22 | "cvss_score": -1, 23 | "coordinating_vendor": null 24 | } 25 | -------------------------------------------------------------------------------- /vuln/npm/363.json: -------------------------------------------------------------------------------- 1 | { 2 | "id": 363, 3 | "created_at": "2018-01-23", 4 | "updated_at": "2018-01-23", 5 | "title": "Directory Traversal", 6 | "author": { 7 | "name": "bl4de", 8 | "website": "https://twitter.com/_bl4de", 9 | "username": null 10 | }, 11 | "module_name": "serve", 12 | "publish_date": "2018-01-23", 13 | "cves": [ 14 | "CVE-2018-3712" 15 | ], 16 | "vulnerable_versions": "<=6.4.8", 17 | "patched_versions": ">=6.4.9", 18 | "overview": "serve handles directory listing on its own and does not protect against listing of any directory on the remote server.", 19 | "recommendation": "update serve to 6.4.9 or higher", 20 | "references": [ 21 | "https://hackerone.com/reports/307666" 22 | ], 23 | "cvss_vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", 24 | "cvss_score": 9.3, 25 | "coordinating_vendor": null 26 | } 27 | -------------------------------------------------------------------------------- /vuln/npm/378.json: -------------------------------------------------------------------------------- 1 | { 2 | "id": 378, 3 | "created_at": "2018-02-26", 4 | "updated_at": "2018-02-26", 5 | "title": "Path Traversal", 6 | "author": { 7 | "name": "bl4de", 8 | "website": "https://twitter.com/_bl4de", 9 | "username": null 10 | }, 11 | "module_name": "626", 12 | "publish_date": "2018-02-26", 13 | "cves": [ 14 | "CVE-2018-3727" 15 | ], 16 | "vulnerable_versions": "<=1.1.1", 17 | "patched_versions": null, 18 | "overview": "626 Path Traversal allows to read arbitrary file from remote server", 19 | "recommendation": "No fix is currently available for this vulnerability.\n\nIt is our recommendation to not install or use this module at this time.", 20 | "references": [ 21 | "https://hackerone.com/reports/311216" 22 | ], 23 | "cvss_vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N", 24 | "cvss_score": 8.6, 25 | "coordinating_vendor": null 26 | } 27 | -------------------------------------------------------------------------------- /vuln/npm/381.json: -------------------------------------------------------------------------------- 1 | { 2 | "id": 381, 3 | "created_at": "2018-02-27", 4 | "updated_at": "2018-02-27", 5 | "title": "Path Traversal", 6 | "author": { 7 | "name": "bl4de", 8 | "website": "https://twitter.com/_bl4de", 9 | "username": null 10 | }, 11 | "module_name": "hekto", 12 | "publish_date": "2018-02-27", 13 | "cves": [ 14 | "CVE-2018-3725" 15 | ], 16 | "vulnerable_versions": "<0.2.3", 17 | "patched_versions": ">=0.2.3", 18 | "overview": "hekto suffers from Path Traversal vulnerability which allows to read content of arbitrary files", 19 | "recommendation": "update hekto to 0.2.3 or higher", 20 | "references": [ 21 | "https://hackerone.com/reports/311218" 22 | ], 23 | "cvss_vector": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N", 24 | "cvss_score": 8.6, 25 | "coordinating_vendor": null 26 | } 27 | -------------------------------------------------------------------------------- /vuln/npm/382.json: -------------------------------------------------------------------------------- 1 | { 2 | "id": 382, 3 | "created_at": "2018-03-03", 4 | "updated_at": "2018-03-03", 5 | "title": "XSS in links", 6 | "author": { 7 | "name": "joker314", 8 | "website": "https://joker314.github.io", 9 | "username": null 10 | }, 11 | "module_name": "mrk.js", 12 | "publish_date": "2018-03-03", 13 | "cves": [], 14 | "vulnerable_versions": "<2.0.1", 15 | "patched_versions": ">=2.0.1", 16 | "overview": "mrk.js suffered from a XSS vulnerability when markdown was converted to HTML.", 17 | "recommendation": "update mrk.js to version 2.0.1 and use mark.sanitizeURL() for any attributes when extending the md", 18 | "references": [ 19 | "https://github.com/heyitsmeuralex/mrk/pull/3" 20 | ], 21 | "cvss_vector": "CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:L", 22 | "cvss_score": 8.9, 23 | "coordinating_vendor": null 24 | } 25 | -------------------------------------------------------------------------------- /vuln/npm/383.json: -------------------------------------------------------------------------------- 1 | { 2 | "id": 383, 3 | "created_at": "2018-03-07", 4 | "updated_at": "2018-03-07", 5 | "title": "Path Traversal", 6 | "author": { 7 | "name": "bl4de", 8 | "website": "https://twitter.com/_bl4de", 9 | "username": null 10 | }, 11 | "module_name": "node-srv", 12 | "publish_date": "2018-03-07", 13 | "cves": [ 14 | "CVE-2018-3714" 15 | ], 16 | "vulnerable_versions": "<2.1.1", 17 | "patched_versions": ">=2.1.1", 18 | "overview": "node-srv path traversal allows to read arbitrary files from remote server", 19 | "recommendation": "update node-srv to 2.1.1 or higher", 20 | "references": [ 21 | "https://hackerone.com/reports/309124" 22 | ], 23 | "cvss_vector": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N", 24 | "cvss_score": 8.6, 25 | "coordinating_vendor": null 26 | } 27 | -------------------------------------------------------------------------------- /vuln/npm/384.json: -------------------------------------------------------------------------------- 1 | { 2 | "id": 384, 3 | "created_at": "2018-03-02", 4 | "updated_at": "2018-03-02", 5 | "title": "Path Traversal", 6 | "author": { 7 | "name": "bl4de", 8 | "website": "https://twitter.com/_bl4de", 9 | "username": null 10 | }, 11 | "module_name": "angular-http-server", 12 | "publish_date": "2018-03-02", 13 | "cves": [ 14 | "CVE-2018-3713" 15 | ], 16 | "vulnerable_versions": "<1.4.3", 17 | "patched_versions": ">=1.4.3", 18 | "overview": "angular-http-server path traversal allows to read arbitrary files from remote server", 19 | "recommendation": "update angular-http-server to 1.4.3 or higher", 20 | "references": [ 21 | "https://hackerone.com/reports/309120" 22 | ], 23 | "cvss_vector": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N", 24 | "cvss_score": 8.6, 25 | "coordinating_vendor": null 26 | } 27 | -------------------------------------------------------------------------------- /vuln/npm/385.json: -------------------------------------------------------------------------------- 1 | { 2 | "id": 385, 3 | "created_at": "2018-03-04", 4 | "updated_at": "2018-03-04", 5 | "title": "Path Traversal", 6 | "author": { 7 | "name": "bl4de", 8 | "website": "https://twitter.com/_bl4de", 9 | "username": null 10 | }, 11 | "module_name": "glance", 12 | "publish_date": "2018-03-04", 13 | "cves": [ 14 | "CVE-2018-3715" 15 | ], 16 | "vulnerable_versions": "<3.0.4", 17 | "patched_versions": ">=3.0.4", 18 | "overview": "path traversal in glance static file server allows to read content of arbitrary file", 19 | "recommendation": "update glance to 3.0.4 or higher", 20 | "references": [ 21 | "https://hackerone.com/reports/310106", 22 | "https://github.com/jarofghosts/glance/commit/8cfd88e44ebd3f07e3a2eaf376a3e758b6c4ca19" 23 | ], 24 | "cvss_vector": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N", 25 | "cvss_score": 8.6, 26 | "coordinating_vendor": null 27 | } 28 | -------------------------------------------------------------------------------- /vuln/npm/386.json: -------------------------------------------------------------------------------- 1 | { 2 | "id": 386, 3 | "created_at": "2018-03-07", 4 | "updated_at": "2018-03-07", 5 | "title": "Path Traversal", 6 | "author": { 7 | "name": "bl4de", 8 | "website": "https://twitter.com/_bl4de", 9 | "username": null 10 | }, 11 | "module_name": "stattic", 12 | "publish_date": "2018-03-07", 13 | "cves": [ 14 | "CVE-2018-3734" 15 | ], 16 | "vulnerable_versions": "<0.3.0", 17 | "patched_versions": ">=0.3.0", 18 | "overview": "stattic inproper path validation leads to path traversal and allows to read arbitrary files with any extension(s)", 19 | "recommendation": "update stattic to 0.3.0 or higher", 20 | "references": [ 21 | "https://hackerone.com/reports/319003" 22 | ], 23 | "cvss_vector": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N", 24 | "cvss_score": 8.6, 25 | "coordinating_vendor": null 26 | } 27 | -------------------------------------------------------------------------------- /vuln/npm/389.json: -------------------------------------------------------------------------------- 1 | { 2 | "id": 389, 3 | "title": "Information Exposure Through Directory Listing", 4 | "overview": "[serve] Directory listing and File access even when they have been set to be ignored.", 5 | "created_at": "2018-01-24", 6 | "updated_at": "2018-03-14", 7 | "publish_date": "2018-03-13", 8 | "author": { 9 | "name": "digitalwizard", 10 | "website": null, 11 | "username": null 12 | }, 13 | "module_name": "serve", 14 | "cves": [ 15 | "CVE-2018-3718" 16 | ], 17 | "vulnerable_versions": "<6.5.2", 18 | "patched_versions": ">=6.5.2", 19 | "recommendation": "update serve to 6.5.2 or higher", 20 | "references": [ 21 | "https://hackerone.com/reports/308721" 22 | ], 23 | "cvss_vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", 24 | "cvss_score": 9.3, 25 | "coordinating_vendor": null 26 | } 27 | -------------------------------------------------------------------------------- /vuln/npm/390.json: -------------------------------------------------------------------------------- 1 | { 2 | "id": 390, 3 | "title": "Cross-site Scripting (XSS) - Stored", 4 | "overview": "[simple-server] HTML with iframe element can be used as filename, which might lead to load and execute malicious JavaScript ", 5 | "created_at": "2018-01-26", 6 | "updated_at": "2018-03-02", 7 | "publish_date": "2018-03-02", 8 | "author": { 9 | "name": "bl4de", 10 | "website": "https://twitter.com/_bl4de", 11 | "username": null 12 | }, 13 | "module_name": "simple-server", 14 | "cves": [ 15 | "CVE-2018-3717" 16 | ], 17 | "vulnerable_versions": "<1.1.0", 18 | "patched_versions": ">=1.1.0", 19 | "recommendation": "update simple-server to 1.1.0 or higher", 20 | "references": [ 21 | "https://hackerone.com/reports/309641" 22 | ], 23 | "cvss_vector": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:H/A:N", 24 | "cvss_score": 7.7, 25 | "coordinating_vendor": null 26 | } 27 | -------------------------------------------------------------------------------- /vuln/npm/391.json: -------------------------------------------------------------------------------- 1 | { 2 | "id": 391, 3 | "title": "Memory Exposure", 4 | "author": { 5 | "name": "Feross Aboukhadijeh", 6 | "website": null, 7 | "username": null 8 | }, 9 | "module_name": "bl", 10 | "created_at": "2018-03-24", 11 | "updated_at": "2018-03-24", 12 | "publish_date": "2016-01-19", 13 | "cves": [], 14 | "vulnerable_versions": "<=0.9.4 || 1.0.0", 15 | "patched_versions": ">=1.0.1 || >=0.9.5 <1.0.0", 16 | "overview": "bl.append(number) in the affected `bl` versions passes a number to Buffer constructor, appending a chunk of uninitialized memory", 17 | "recommendation": "update bl to 1.0.1 or higher", 18 | "references": [ 19 | "https://github.com/rvagg/bl/pull/22" 20 | ], 21 | "cvss_vector": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:H", 22 | "cvss_score": 6.5, 23 | "coordinating_vendor": null 24 | } 25 | -------------------------------------------------------------------------------- /vuln/npm/40.json: -------------------------------------------------------------------------------- 1 | { 2 | "id": 40, 3 | "created_at": "2015-10-17", 4 | "updated_at": "2016-04-28", 5 | "title": "Command Injection", 6 | "author": { 7 | "name": "CodingTwinky", 8 | "website": null, 9 | "username": null 10 | }, 11 | "module_name": "ungit", 12 | "publish_date": "2015-01-22", 13 | "cves": [ 14 | "CVE-2015-4130" 15 | ], 16 | "vulnerable_versions": "<=0.8.4", 17 | "patched_versions": ">=0.9.0", 18 | "overview": "Due to the use of `child_process.exec` when executing git commands, ungit allows for commands to be injection from user input fields that end up in an executed git command.", 19 | "recommendation": "Update to the version >=0.9.0", 20 | "references": [ 21 | "https://github.com/FredrikNoren/ungit/issues/486" 22 | ], 23 | "cvss_vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N", 24 | "cvss_score": 6.5, 25 | "coordinating_vendor": "^Lift Security" 26 | } 27 | -------------------------------------------------------------------------------- /vuln/npm/401.json: -------------------------------------------------------------------------------- 1 | { 2 | "id": 401, 3 | "title": "Denial of Service", 4 | "overview": "`sshpk` is vulnerable to ReDoS when parsing crafted invalid public keys", 5 | "created_at": "2018-02-25", 6 | "updated_at": "2018-04-05", 7 | "publish_date": "2018-04-05", 8 | "author": { 9 | "name": "Сковорода Никита Андреевич", 10 | "website": "https://github.com/ChALkeR", 11 | "username": null 12 | }, 13 | "module_name": "sshpk", 14 | "cves": [], 15 | "vulnerable_versions": "<=1.13.1", 16 | "patched_versions": ">=1.13.2", 17 | "recommendation": "update sshpk to 1.14.1 or higher", 18 | "references": [ 19 | "https://hackerone.com/reports/319593", 20 | "https://github.com/joyent/node-sshpk/blob/v1.13.1/lib/formats/ssh.js#L17" 21 | ], 22 | "cvss_vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", 23 | "cvss_score": 7.5, 24 | "coordinating_vendor": null 25 | } 26 | -------------------------------------------------------------------------------- /vuln/npm/403.json: -------------------------------------------------------------------------------- 1 | { 2 | "id": 403, 3 | "title": "Out-of-bounds Read", 4 | "overview": "`atob` allocates uninitialized Buffers when number is passed in input on Node.js 4.x and below", 5 | "created_at": "2018-03-04", 6 | "updated_at": "2018-04-09", 7 | "publish_date": "2018-04-09", 8 | "author": { 9 | "name": "Сковорода Никита Андреевич", 10 | "website": "https://github.com/ChALkeR", 11 | "username": null 12 | }, 13 | "module_name": "atob", 14 | "cves": [ 15 | "CVE-2018-3745" 16 | ], 17 | "vulnerable_versions": "<=2.0.3", 18 | "patched_versions": ">=2.1.0", 19 | "recommendation": "update atob to 2.1.0 or higher", 20 | "references": [ 21 | "https://hackerone.com/reports/321686" 22 | ], 23 | "cvss_vector": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:H", 24 | "cvss_score": 6.5, 25 | "coordinating_vendor": null 26 | } 27 | -------------------------------------------------------------------------------- /vuln/npm/407.json: -------------------------------------------------------------------------------- 1 | { 2 | "id": 407, 3 | "title": "deap prototype pollution", 4 | "overview": "deap node module before 1.0.1 suffers from a prototype pollution vulnerability", 5 | "created_at": "2018-02-17", 6 | "updated_at": "2018-04-09", 7 | "publish_date": "2018-04-09", 8 | "author": { 9 | "name": "Olivier Arteau", 10 | "website": null, 11 | "username": "HoLyVieR" 12 | }, 13 | "module_name": "deap", 14 | "cves": [], 15 | "vulnerable_versions": "<1.0.1", 16 | "patched_versions": ">=1.0.1", 17 | "recommendation": "Update to module version >= 1.0.1", 18 | "references": [ 19 | "https://hackerone.com/reports/310446" 20 | ], 21 | "cvss_vector": "CVSS:3.0/AV:N/AC:H/PR:H/UI:R/S:U/C:N/I:N/A:L", 22 | "cvss_score": 2, 23 | "coordinating_vendor": null 24 | } 25 | -------------------------------------------------------------------------------- /vuln/npm/408.json: -------------------------------------------------------------------------------- 1 | { 2 | "id": 408, 3 | "title": "deep-extend prototype pollution", 4 | "overview": "deep-extend node module suffers from a prototype pollution vulnerability", 5 | "created_at": "2018-02-17", 6 | "updated_at": "2018-05-08", 7 | "publish_date": "2018-04-09", 8 | "author": { 9 | "name": "Olivier Arteau", 10 | "website": null, 11 | "username": "HoLyVieR" 12 | }, 13 | "module_name": "deep-extend", 14 | "cves": [], 15 | "vulnerable_versions": "<=0.5.0", 16 | "patched_versions": ">=0.5.1", 17 | "recommendation": "Update to version 0.5.1 or later.", 18 | "references": [ 19 | "https://hackerone.com/reports/311333" 20 | ], 21 | "cvss_vector": "CVSS:3.0/AV:N/AC:H/PR:H/UI:R/S:U/C:N/I:N/A:L", 22 | "cvss_score": 2, 23 | "coordinating_vendor": null 24 | } 25 | -------------------------------------------------------------------------------- /vuln/npm/409.json: -------------------------------------------------------------------------------- 1 | { 2 | "id": 409, 3 | "title": "merge-recursive prototype pollution", 4 | "overview": "merge-recursive node module suffers from a prototype pollution vulnerability", 5 | "created_at": "2018-02-17", 6 | "updated_at": "2018-04-09", 7 | "publish_date": "2018-04-09", 8 | "author": { 9 | "name": "Olivier Arteau", 10 | "website": null, 11 | "username": "HoLyVieR" 12 | }, 13 | "module_name": "merge-recursive", 14 | "cves": [], 15 | "vulnerable_versions": "<=0.0.3", 16 | "patched_versions": null, 17 | "recommendation": "No fix is currently available for this vulnerability.\n\nIt is our recommendation to not install or use this module at this time.", 18 | "references": [ 19 | "https://hackerone.com/reports/311337" 20 | ], 21 | "cvss_vector": "CVSS:3.0/AV:N/AC:H/PR:H/UI:R/S:U/C:N/I:N/A:L", 22 | "cvss_score": 2, 23 | "coordinating_vendor": null 24 | } 25 | -------------------------------------------------------------------------------- /vuln/npm/410.json: -------------------------------------------------------------------------------- 1 | { 2 | "id": 410, 3 | "title": "merge-options prototype pollution", 4 | "overview": "merge-options node module suffers from a prototype pollution vulnerability", 5 | "created_at": "2018-02-17", 6 | "updated_at": "2018-04-09", 7 | "publish_date": "2018-04-09", 8 | "author": { 9 | "name": "Olivier Arteau", 10 | "website": null, 11 | "username": "HoLyVieR" 12 | }, 13 | "module_name": "merge-options", 14 | "cves": [], 15 | "vulnerable_versions": "<=1.0.0", 16 | "patched_versions": null, 17 | "recommendation": "No fix is currently available for this vulnerability.\n\nIt is our recommendation to not install or use this module at this time.", 18 | "references": [ 19 | "https://hackerone.com/reports/311336" 20 | ], 21 | "cvss_vector": "CVSS:3.0/AV:N/AC:H/PR:H/UI:R/S:U/C:N/I:N/A:L", 22 | "cvss_score": 2, 23 | "coordinating_vendor": null 24 | } 25 | -------------------------------------------------------------------------------- /vuln/npm/411.json: -------------------------------------------------------------------------------- 1 | { 2 | "id": 411, 3 | "title": "merge-objects prototype pollution", 4 | "overview": "merge-objects node module suffers from a prototype pollution vulnerability", 5 | "created_at": "2018-02-17", 6 | "updated_at": "2018-04-09", 7 | "publish_date": "2018-04-09", 8 | "author": { 9 | "name": "Olivier Arteau", 10 | "website": null, 11 | "username": "HoLyVieR" 12 | }, 13 | "module_name": "merge-objects", 14 | "cves": [], 15 | "vulnerable_versions": "<=1.0.5", 16 | "patched_versions": null, 17 | "recommendation": "No fix is currently available for this vulnerability.\n\nIt is our recommendation to not install or use this module at this time.", 18 | "references": [ 19 | "https://hackerone.com/reports/310706" 20 | ], 21 | "cvss_vector": "CVSS:3.0/AV:N/AC:H/PR:H/UI:R/S:U/C:N/I:N/A:L", 22 | "cvss_score": 2, 23 | "coordinating_vendor": null 24 | } 25 | -------------------------------------------------------------------------------- /vuln/npm/412.json: -------------------------------------------------------------------------------- 1 | { 2 | "id": 412, 3 | "title": "pdfinfojs command injection", 4 | "overview": "The pdfinfojs NPM module has a command injection vulnerability that allows an attacker execute arbitrary commands on the victim's machine.", 5 | "created_at": "2018-02-17", 6 | "updated_at": "2018-04-09", 7 | "publish_date": "2018-04-09", 8 | "author": { 9 | "name": "Caio Lüders", 10 | "website": null, 11 | "username": "caioluders" 12 | }, 13 | "module_name": "pdfinfojs", 14 | "cves": [ 15 | "CVE-2018-3746" 16 | ], 17 | "vulnerable_versions": "<=0.3.6", 18 | "patched_versions": ">=0.4.1", 19 | "recommendation": "Update to module version >= 0.4.1", 20 | "references": [ 21 | "https://hackerone.com/reports/330957" 22 | ], 23 | "cvss_vector": "CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H", 24 | "cvss_score": 7.8, 25 | "coordinating_vendor": null 26 | } 27 | -------------------------------------------------------------------------------- /vuln/npm/413.json: -------------------------------------------------------------------------------- 1 | { 2 | "id": 413, 3 | "title": "Path Traversal", 4 | "overview": "[mcstatic] Path Traversal allows to read content of arbitrary files", 5 | "created_at": "2018-02-06", 6 | "updated_at": "2018-04-24", 7 | "publish_date": "2018-04-24", 8 | "author": { 9 | "name": "bl4de", 10 | "website": "https://twitter.com/_bl4de", 11 | "username": null 12 | }, 13 | "module_name": "mcstatic", 14 | "cves": [ 15 | "CVE-2018-3730" 16 | ], 17 | "vulnerable_versions": "<=0.0.20", 18 | "patched_versions": null, 19 | "recommendation": "No fix is currently available for this vulnerability.\n\nIt is our recommendation to not install or use this module at this time.", 20 | "references": [ 21 | "https://hackerone.com/reports/312907" 22 | ], 23 | "cvss_vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N", 24 | "cvss_score": 8.6, 25 | "coordinating_vendor": null 26 | } 27 | -------------------------------------------------------------------------------- /vuln/npm/414.json: -------------------------------------------------------------------------------- 1 | { 2 | "id": 414, 3 | "title": "Cross-site Scripting (XSS) - Generic", 4 | "overview": "[cloudcmd] Stored XSS in the filename when directories listing", 5 | "created_at": "2018-04-20", 6 | "updated_at": "2018-04-25", 7 | "publish_date": "2018-04-25", 8 | "author": { 9 | "name": "Tung Pun", 10 | "website": "https://tungpun.pw", 11 | "username": null 12 | }, 13 | "module_name": "cloudcmd", 14 | "cves": [], 15 | "vulnerable_versions": "<=9.1.5", 16 | "patched_versions": ">=9.1.6", 17 | "recommendation": "update cloudcmd module to 9.1.6 or higher", 18 | "references": [ 19 | "https://hackerone.com/reports/341044", 20 | "https://github.com/coderaiser/cloudcmd/commit/23f4d4702cd3d473977285f26ea2ae7206b45f38" 21 | ], 22 | "cvss_vector": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:N", 23 | "cvss_score": 8.5, 24 | "coordinating_vendor": null 25 | } 26 | -------------------------------------------------------------------------------- /vuln/npm/415.json: -------------------------------------------------------------------------------- 1 | { 2 | "id": 415, 3 | "title": "Cross-site Scripting (XSS) - Generic", 4 | "overview": "[react-svg] Scripts found in SVG files are run by default.", 5 | "created_at": "2018-04-27", 6 | "updated_at": "2018-04-27", 7 | "publish_date": "2018-04-27", 8 | "author": { 9 | "name": "Ron Perris", 10 | "website": null, 11 | "username": null 12 | }, 13 | "module_name": "react-svg", 14 | "cves": [], 15 | "vulnerable_versions": "<=2.2.17", 16 | "patched_versions": ">=2.2.18", 17 | "recommendation": "Update react-svg module to 2.2.18 or higher.", 18 | "references": [ 19 | "https://github.com/tanem/react-svg/pull/57" 20 | ], 21 | "cvss_vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N", 22 | "cvss_score": 9.1, 23 | "coordinating_vendor": null 24 | } 25 | -------------------------------------------------------------------------------- /vuln/npm/420.json: -------------------------------------------------------------------------------- 1 | { 2 | "id": 420, 3 | "title": "Path Traversal", 4 | "overview": "Path Traversal in html-pages module allows to read any file from the server with curl", 5 | "created_at": "2018-01-18", 6 | "updated_at": "2018-05-09", 7 | "publish_date": "2018-05-09", 8 | "author": { 9 | "name": "bl4de", 10 | "website": "https://twitter.com/_bl4de", 11 | "username": null 12 | }, 13 | "module_name": "html-pages", 14 | "cves": [ 15 | "CVE-2018-3744" 16 | ], 17 | "vulnerable_versions": "<=2.0.9", 18 | "patched_versions": ">=2.1.0", 19 | "recommendation": "Update to html-pages@2.1.0 or higher.", 20 | "references": [ 21 | "https://hackerone.com/reports/306607" 22 | ], 23 | "cvss_vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:N/A:N", 24 | "cvss_score": 9.5, 25 | "coordinating_vendor": null 26 | } 27 | -------------------------------------------------------------------------------- /vuln/npm/421.json: -------------------------------------------------------------------------------- 1 | { 2 | "id": 421, 3 | "title": "Path Traversal", 4 | "overview": "[angular-http-server] Server Directory Traversal", 5 | "created_at": "2018-03-27", 6 | "updated_at": "2018-04-26", 7 | "publish_date": "2018-04-26", 8 | "author": { 9 | "name": "tungpun", 10 | "website": "https://tungpun.pw", 11 | "username": null 12 | }, 13 | "module_name": "angular-http-server", 14 | "cves": [], 15 | "vulnerable_versions": "<=1.4.3", 16 | "patched_versions": ">=1.4.4", 17 | "recommendation": "update angular-http-server to 1.44 or higher", 18 | "references": [ 19 | "https://hackerone.com/reports/330349", 20 | "https://github.com/simonh1000/angular-http-server/commit/8bafc9577161469f5dea01e0b98ea9c525d063e9" 21 | ], 22 | "cvss_vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N", 23 | "cvss_score": 8.6, 24 | "coordinating_vendor": null 25 | } 26 | -------------------------------------------------------------------------------- /vuln/npm/424.json: -------------------------------------------------------------------------------- 1 | { 2 | "id": 424, 3 | "title": "Path Traversal", 4 | "overview": "Bypass to defective fix of Path Traversal ", 5 | "created_at": "2018-03-26", 6 | "updated_at": "2018-05-11", 7 | "publish_date": "2018-05-11", 8 | "author": { 9 | "name": "Caio Lüders", 10 | "website": null, 11 | "username": null 12 | }, 13 | "module_name": "localhost-now", 14 | "cves": [], 15 | "vulnerable_versions": "<=1.0.2", 16 | "patched_versions": null, 17 | "recommendation": "No fix is currently available for this vulnerability.\n\nIt is our recommendation to not install or use this module at this time.", 18 | "references": [ 19 | "https://hackerone.com/reports/329837", 20 | "https://github.com/DCKT/localhost-now/blob/master/lib/app.js#L17" 21 | ], 22 | "cvss_vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N", 23 | "cvss_score": 8.6, 24 | "coordinating_vendor": null 25 | } 26 | -------------------------------------------------------------------------------- /vuln/npm/425.json: -------------------------------------------------------------------------------- 1 | { 2 | "id": 425, 3 | "title": "OS Command Injection", 4 | "overview": "[buttle] Remote Command Execution via unsanitized PHP filename when it's run with --php-bin flag", 5 | "created_at": "2018-03-29", 6 | "updated_at": "2018-05-11", 7 | "publish_date": "2018-05-11", 8 | "author": { 9 | "name": "bl4de", 10 | "website": "https://twitter.com/_bl4de", 11 | "username": null 12 | }, 13 | "module_name": "buttle", 14 | "cves": [], 15 | "vulnerable_versions": "<=0.2.0", 16 | "patched_versions": null, 17 | "recommendation": "No fix is currently available for this vulnerability.\n\nIt is our recommendation to not install or use this module at this time.", 18 | "references": [ 19 | "https://hackerone.com/reports/331032" 20 | ], 21 | "cvss_vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:H", 22 | "cvss_score": 10, 23 | "coordinating_vendor": null 24 | } 25 | -------------------------------------------------------------------------------- /vuln/npm/427.json: -------------------------------------------------------------------------------- 1 | { 2 | "id": 427, 3 | "title": "Command Injection - Generic", 4 | "overview": "`macaddress` concatenates unsanitized input into exec() command", 5 | "created_at": "2018-02-25", 6 | "updated_at": "2018-05-11", 7 | "publish_date": "2018-05-11", 8 | "author": { 9 | "name": "Сковорода Никита Андреевич", 10 | "website": "https://github.com/ChALkeR", 11 | "username": null 12 | }, 13 | "module_name": "macaddress", 14 | "cves": [], 15 | "vulnerable_versions": "<=0.2.8", 16 | "patched_versions": null, 17 | "recommendation": "No fix is currently available for this vulnerability.\n\nIt is our recommendation to not install or use this module at this time.", 18 | "references": [ 19 | "https://hackerone.com/reports/319467" 20 | ], 21 | "cvss_vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:H", 22 | "cvss_score": 10, 23 | "coordinating_vendor": null 24 | } 25 | -------------------------------------------------------------------------------- /vuln/npm/428.json: -------------------------------------------------------------------------------- 1 | { 2 | "id": 428, 3 | "title": "Out-of-bounds Read", 4 | "overview": "`base64url` allocates uninitialized Buffers when number is passed in input on Node.js 4.x and below", 5 | "created_at": "2018-03-04", 6 | "updated_at": "2018-05-11", 7 | "publish_date": "2018-05-11", 8 | "author": { 9 | "name": "Сковорода Никита Андреевич", 10 | "website": "https://github.com/ChALkeR", 11 | "username": null 12 | }, 13 | "module_name": "base64url", 14 | "cves": [], 15 | "vulnerable_versions": "<=2.0.0", 16 | "patched_versions": ">=3.0.0", 17 | "recommendation": "Update base64url module to 3.0.0 or higher.", 18 | "references": [ 19 | "https://hackerone.com/reports/321687", 20 | "https://github.com/brianloveswords/base64url/pull/25" 21 | ], 22 | "cvss_vector": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:H", 23 | "cvss_score": 7.1, 24 | "coordinating_vendor": null 25 | } 26 | -------------------------------------------------------------------------------- /vuln/npm/429.json: -------------------------------------------------------------------------------- 1 | { 2 | "id": 429, 3 | "title": "Out-of-bounds Read", 4 | "overview": "`byte` allocates uninitialized buffers and reads data from them past the initialized length", 5 | "created_at": "2018-03-27", 6 | "updated_at": "2018-05-11", 7 | "publish_date": "2018-05-11", 8 | "author": { 9 | "name": "Сковорода Никита Андреевич", 10 | "website": "https://github.com/ChALkeR", 11 | "username": null 12 | }, 13 | "module_name": "byte", 14 | "cves": [], 15 | "vulnerable_versions": "<=1.4.0", 16 | "patched_versions": ">=1.4.1", 17 | "recommendation": "update `byte` module to 1.4.1 or higher", 18 | "references": [ 19 | "https://hackerone.com/reports/330351", 20 | "https://github.com/node-modules/byte/pull/34" 21 | ], 22 | "cvss_vector": "CVSS:3.0/AV:P/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:H", 23 | "cvss_score": 5.2, 24 | "coordinating_vendor": null 25 | } 26 | -------------------------------------------------------------------------------- /vuln/npm/432.json: -------------------------------------------------------------------------------- 1 | { 2 | "id": 432, 3 | "title": "SQL Injection", 4 | "overview": "`sql` does not properly escape parameters when building SQL queries, resulting in potential SQLi", 5 | "created_at": "2018-02-25", 6 | "updated_at": "2018-05-12", 7 | "publish_date": "2018-05-12", 8 | "author": { 9 | "name": "Сковорода Никита Андреевич", 10 | "website": "https://github.com/ChALkeR", 11 | "username": null 12 | }, 13 | "module_name": "sql", 14 | "cves": [], 15 | "vulnerable_versions": "<=0.78.0", 16 | "patched_versions": null, 17 | "recommendation": "No fix is currently available for this vulnerability.\n\nIt is our recommendation to not install or use this module at this time.", 18 | "references": [ 19 | "https://hackerone.com/reports/319465" 20 | ], 21 | "cvss_vector": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L", 22 | "cvss_score": 6.3, 23 | "coordinating_vendor": null 24 | } 25 | -------------------------------------------------------------------------------- /vuln/npm/433.json: -------------------------------------------------------------------------------- 1 | { 2 | "id": 433, 3 | "title": "Command Injection - Generic", 4 | "overview": "`open` concatenates unsanitized input into exec() command", 5 | "created_at": "2018-02-25", 6 | "updated_at": "2018-05-12", 7 | "publish_date": "2018-05-12", 8 | "author": { 9 | "name": "Сковорода Никита Андреевич", 10 | "website": "https://github.com/ChALkeR", 11 | "username": null 12 | }, 13 | "module_name": "open", 14 | "cves": [], 15 | "vulnerable_versions": "<=0.0.5", 16 | "patched_versions": ">=6.0.0", 17 | "recommendation": "Upgrade to 6.0.0+", 18 | "references": [ 19 | "https://hackerone.com/reports/319473" 20 | ], 21 | "cvss_vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:H", 22 | "cvss_score": 10, 23 | "coordinating_vendor": null 24 | } 25 | -------------------------------------------------------------------------------- /vuln/npm/434.json: -------------------------------------------------------------------------------- 1 | { 2 | "id": 434, 3 | "title": "Out-of-bounds Read", 4 | "overview": "`base64-url` below 2.0 allocates uninitialized Buffers when number is passed in input", 5 | "created_at": "2018-03-04", 6 | "updated_at": "2018-05-12", 7 | "publish_date": "2018-05-12", 8 | "author": { 9 | "name": "Сковорода Никита Андреевич", 10 | "website": "https://github.com/ChALkeR", 11 | "username": null 12 | }, 13 | "module_name": "base64-url", 14 | "cves": [], 15 | "vulnerable_versions": "<=1.3.3", 16 | "patched_versions": ">=2.0.0", 17 | "recommendation": "update base64-url to 2.0.0 or higher", 18 | "references": [ 19 | "https://hackerone.com/reports/321692" 20 | ], 21 | "cvss_vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N", 22 | "cvss_score": 8.6, 23 | "coordinating_vendor": null 24 | } 25 | -------------------------------------------------------------------------------- /vuln/npm/436.json: -------------------------------------------------------------------------------- 1 | { 2 | "id": 436, 3 | "title": "Open Redirect", 4 | "overview": "[hekto] open redirect when target domain name is used as html filename on server", 5 | "created_at": "2018-02-28", 6 | "updated_at": "2018-05-20", 7 | "publish_date": "2018-05-20", 8 | "author": { 9 | "name": "panic", 10 | "website": null, 11 | "username": null 12 | }, 13 | "module_name": "hekto", 14 | "cves": [ 15 | "CVE-2018-3743" 16 | ], 17 | "vulnerable_versions": "<=0.2.3", 18 | "patched_versions": ">=0.2.4", 19 | "recommendation": "update hekto to 0.2.4 or higher", 20 | "references": [ 21 | "https://hackerone.com/reports/320693", 22 | "https://github.com/herber/hekto/pull/3" 23 | ], 24 | "cvss_vector": "CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:N", 25 | "cvss_score": 2.7, 26 | "coordinating_vendor": null 27 | } 28 | -------------------------------------------------------------------------------- /vuln/npm/438.json: -------------------------------------------------------------------------------- 1 | { 2 | "id": 438, 3 | "title": "Command Injection - Generic", 4 | "overview": "Command injection in 'pdf-image'", 5 | "created_at": "2018-04-18", 6 | "updated_at": "2018-05-29", 7 | "publish_date": "2018-05-29", 8 | "author": { 9 | "name": "N B Sri Harshа", 10 | "website": "http://nbsriharsha.blogspot.in", 11 | "username": null 12 | }, 13 | "module_name": "pdf-image", 14 | "cves": [ 15 | "CVE-2018-3757" 16 | ], 17 | "vulnerable_versions": "<=1.0.5", 18 | "patched_versions": ">=2.0.0", 19 | "recommendation": "update pdf-image to 2.0.0 or higher", 20 | "references": [ 21 | "https://hackerone.com/reports/340208" 22 | ], 23 | "cvss_vector": "CVSS:3.0/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H", 24 | "cvss_score": 6.1, 25 | "coordinating_vendor": null 26 | } 27 | -------------------------------------------------------------------------------- /vuln/npm/439.json: -------------------------------------------------------------------------------- 1 | { 2 | "id": 439, 3 | "title": "Information Exposure Through Directory Listing", 4 | "overview": "[serve] Directory listing and File access even when they have been set to be ignored", 5 | "created_at": "2018-03-28", 6 | "updated_at": "2018-05-31", 7 | "publish_date": "2018-05-31", 8 | "author": { 9 | "name": "tungpun", 10 | "website": "https://tungpun.pw", 11 | "username": null 12 | }, 13 | "module_name": "serve", 14 | "cves": [ 15 | "CVE-2018-3809" 16 | ], 17 | "vulnerable_versions": "<=6.5.3", 18 | "patched_versions": ">=7.0.0", 19 | "recommendation": "update serve to 7.0.1 or higher", 20 | "references": [ 21 | "https://hackerone.com/reports/330650" 22 | ], 23 | "cvss_vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", 24 | "cvss_score": 9.3, 25 | "coordinating_vendor": null 26 | } 27 | -------------------------------------------------------------------------------- /vuln/npm/441.json: -------------------------------------------------------------------------------- 1 | { 2 | "id": 441, 3 | "title": "Path Traversal", 4 | "overview": "Unrestricted file upload (RCE)", 5 | "created_at": "2018-04-27", 6 | "updated_at": "2018-06-02", 7 | "publish_date": "2018-06-02", 8 | "author": { 9 | "name": "Patrick", 10 | "website": null, 11 | "username": null 12 | }, 13 | "module_name": "express-cart", 14 | "cves": [ 15 | "CVE-2018-3758" 16 | ], 17 | "vulnerable_versions": "<=1.1.5", 18 | "patched_versions": ">=1.1.7", 19 | "recommendation": "update express-cart to 1.1.7 or higher", 20 | "references": [ 21 | "https://hackerone.com/reports/343726" 22 | ], 23 | "cvss_vector": "CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H", 24 | "cvss_score": 9.1, 25 | "coordinating_vendor": null 26 | } 27 | -------------------------------------------------------------------------------- /vuln/npm/443.json: -------------------------------------------------------------------------------- 1 | { 2 | "id": 443, 3 | "title": "Out-of-bounds Read", 4 | "overview": "`njwt` allocates uninitialized Buffers when number is passed in base64urlEncode input", 5 | "created_at": "2018-03-04", 6 | "updated_at": "2018-06-14", 7 | "publish_date": "2018-06-14", 8 | "author": { 9 | "name": "Сковорода Никита Андреевич", 10 | "website": "https://github.com/ChALkeR", 11 | "username": null 12 | }, 13 | "module_name": "njwt", 14 | "cves": [], 15 | "vulnerable_versions": "<=0.4.0", 16 | "patched_versions": null, 17 | "recommendation": "No fix is currently available for this vulnerability.\n\nIt is our recommendation to not install or use this module at this time.", 18 | "references": [ 19 | "https://hackerone.com/reports/321704" 20 | ], 21 | "cvss_vector": "CVSS:3.0/AV:L/AC:H/PR:H/UI:R/S:U/C:L/I:N/A:N", 22 | "cvss_score": 1.8, 23 | "coordinating_vendor": null 24 | } 25 | -------------------------------------------------------------------------------- /vuln/npm/444.json: -------------------------------------------------------------------------------- 1 | { 2 | "id": 444, 3 | "title": "Out-of-bounds Read", 4 | "overview": "`put` allocates uninitialized Buffers when non-round numbers are passed in input", 5 | "created_at": "2018-03-04", 6 | "updated_at": "2018-06-14", 7 | "publish_date": "2018-06-14", 8 | "author": { 9 | "name": "Сковорода Никита Андреевич", 10 | "website": "https://github.com/ChALkeR", 11 | "username": null 12 | }, 13 | "module_name": "put", 14 | "cves": [], 15 | "vulnerable_versions": "<=0.0.6", 16 | "patched_versions": null, 17 | "recommendation": "No fix is currently available for this vulnerability.\n\nIt is our recommendation to not install or use this module at this time.", 18 | "references": [ 19 | "https://hackerone.com/reports/321702" 20 | ], 21 | "cvss_vector": "CVSS:3.0/AV:L/AC:H/PR:H/UI:R/S:U/C:L/I:N/A:N", 22 | "cvss_score": 1.8, 23 | "coordinating_vendor": null 24 | } 25 | -------------------------------------------------------------------------------- /vuln/npm/445.json: -------------------------------------------------------------------------------- 1 | { 2 | "id": 445, 3 | "title": "Out-of-bounds Read", 4 | "overview": "`utile` allocates uninitialized Buffers when number is passed in input", 5 | "created_at": "2018-03-04", 6 | "updated_at": "2018-06-14", 7 | "publish_date": "2018-06-14", 8 | "author": { 9 | "name": "Сковорода Никита Андреевич", 10 | "website": "https://github.com/ChALkeR", 11 | "username": null 12 | }, 13 | "module_name": "utile", 14 | "cves": [], 15 | "vulnerable_versions": "<=0.3.0", 16 | "patched_versions": null, 17 | "recommendation": "No fix is currently available for this vulnerability.\n\nIt is our recommendation to not install or use this module at this time.", 18 | "references": [ 19 | "https://hackerone.com/reports/321701" 20 | ], 21 | "cvss_vector": "CVSS:3.0/AV:L/AC:H/PR:H/UI:R/S:U/C:L/I:N/A:N", 22 | "cvss_score": 1.8, 23 | "coordinating_vendor": null 24 | } 25 | -------------------------------------------------------------------------------- /vuln/npm/446.json: -------------------------------------------------------------------------------- 1 | { 2 | "id": 446, 3 | "title": "Path Traversal", 4 | "overview": "[file-static-server] Path Traversal allows to read content of arbitrary file on the server", 5 | "created_at": "2018-01-31", 6 | "updated_at": "2018-06-14", 7 | "publish_date": "2018-06-14", 8 | "author": { 9 | "name": "bl4de", 10 | "website": "https://twitter.com/_bl4de", 11 | "username": null 12 | }, 13 | "module_name": "file-static-server", 14 | "cves": [], 15 | "vulnerable_versions": "<=1.0.2", 16 | "patched_versions": null, 17 | "recommendation": "No fix is currently available for this vulnerability.\n\nIt is our recommendation to not install or use this module at this time.", 18 | "references": [ 19 | "https://hackerone.com/reports/310671" 20 | ], 21 | "cvss_vector": "CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:N/A:N", 22 | "cvss_score": 3.5, 23 | "coordinating_vendor": null 24 | } 25 | -------------------------------------------------------------------------------- /vuln/npm/447.json: -------------------------------------------------------------------------------- 1 | { 2 | "id": 447, 3 | "title": "Command Injection - Generic", 4 | "overview": "Remote Command Execution vulnerability in pullit", 5 | "created_at": "2018-02-14", 6 | "updated_at": "2018-06-14", 7 | "publish_date": "2018-06-14", 8 | "author": { 9 | "name": "Liran Tal", 10 | "website": "https://github.com/lirantal/", 11 | "username": null 12 | }, 13 | "module_name": "pullit", 14 | "cves": [], 15 | "vulnerable_versions": "<=1.3.0", 16 | "patched_versions": ">= 1.4.0", 17 | "recommendation": "Update pullit module to version >= 1.4.0", 18 | "references": [ 19 | "https://hackerone.com/reports/315773" 20 | ], 21 | "cvss_vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N", 22 | "cvss_score": 9.3, 23 | "coordinating_vendor": null 24 | } 25 | -------------------------------------------------------------------------------- /vuln/npm/449.json: -------------------------------------------------------------------------------- 1 | { 2 | "id": 449, 3 | "title": "Path Traversal", 4 | "overview": "[buttle] Path traversal in mid-buttle module allows to read any file in the server.", 5 | "created_at": "2018-05-27", 6 | "updated_at": "2018-06-27", 7 | "publish_date": "2018-06-27", 8 | "author": { 9 | "name": "N0n4me", 10 | "website": null, 11 | "username": null 12 | }, 13 | "module_name": "buttle", 14 | "cves": [ 15 | "CVE-2018-3766" 16 | ], 17 | "vulnerable_versions": "<=0.2.0", 18 | "patched_versions": null, 19 | "recommendation": "No fix is currently available for this vulnerability.\n\nIt is our recommendation to not install or use this module at this time.", 20 | "references": [ 21 | "https://hackerone.com/reports/358112" 22 | ], 23 | "cvss_vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:N", 24 | "cvss_score": 10, 25 | "coordinating_vendor": null 26 | } 27 | -------------------------------------------------------------------------------- /vuln/npm/454.json: -------------------------------------------------------------------------------- 1 | { 2 | "id": 454, 3 | "title": "Path Traversal", 4 | "overview": "[markdown-pdf] Local file reading", 5 | "created_at": "2018-06-01", 6 | "updated_at": "2018-07-20", 7 | "publish_date": "2018-07-20", 8 | "author": { 9 | "name": "Mike", 10 | "website": "https://twitter.com/__Mn1__", 11 | "username": null 12 | }, 13 | "module_name": "markdown-pdf", 14 | "cves": [ 15 | "CVE-2018-3770" 16 | ], 17 | "vulnerable_versions": "<9.0.0", 18 | "patched_versions": ">=9.0.0", 19 | "recommendation": "Update markdown-pdf module to version >=9.0.0", 20 | "references": [ 21 | "https://hackerone.com/reports/360727" 22 | ], 23 | "cvss_vector": "CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:L", 24 | "cvss_score": 5.3, 25 | "coordinating_vendor": null 26 | } 27 | -------------------------------------------------------------------------------- /vuln/npm/457.json: -------------------------------------------------------------------------------- 1 | { 2 | "id": 457, 3 | "title": "Improper Authorization", 4 | "overview": "Aedes does not respect its own authorization rules when a client sets a Last Will", 5 | "created_at": "2018-08-07", 6 | "updated_at": "2018-08-07", 7 | "publish_date": "2018-08-07", 8 | "author": { 9 | "name": "Matteo Collina", 10 | "website": null, 11 | "username": "mcollina" 12 | }, 13 | "module_name": "aedes", 14 | "cves": [ 15 | "CVE-2018-3778" 16 | ], 17 | "vulnerable_versions": "<=0.35.0", 18 | "patched_versions": ">=0.35.1", 19 | "recommendation": "Update aedes module to version >= 0.35.1", 20 | "references": [ 21 | "https://github.com/mcollina/aedes/issues/211", 22 | "https://github.com/mcollina/aedes/issues/212" 23 | ], 24 | "cvss_vector": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:L/A:N", 25 | "cvss_score": 5.0, 26 | "coordinating_vendor": null 27 | } 28 | -------------------------------------------------------------------------------- /vuln/npm/458.json: -------------------------------------------------------------------------------- 1 | { 2 | "id": 458, 3 | "title": "Arbitrary File Write Through Archive Extraction", 4 | "overview": "attackers can write arbitrary files when a malicious archive is extracted.", 5 | "created_at": "2018-08-12", 6 | "updated_at": "2018-08-12", 7 | "publish_date": "2018-08-12", 8 | "author": { 9 | "name": "Danny Grander", 10 | "website": null, 11 | "username": "danny_grander" 12 | }, 13 | "module_name": "adm-zip", 14 | "cves": [ 15 | "CVE-2018-1002204" 16 | ], 17 | "vulnerable_versions": "<0.4.9", 18 | "patched_versions": ">=0.4.9", 19 | "recommendation": "Update adm-zip module to version >= 0.4.9", 20 | "references": [ 21 | "https://hackerone.com/reports/362118" 22 | ], 23 | "cvss_vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:L", 24 | "cvss_score": 8.2, 25 | "coordinating_vendor": null 26 | } 27 | -------------------------------------------------------------------------------- /vuln/npm/459.json: -------------------------------------------------------------------------------- 1 | { 2 | "id": 459, 3 | "title": "Arbitrary File Write Through Archive Extraction", 4 | "overview": "attackers can write arbitrary files when a malicious archive is extracted.", 5 | "created_at": "2018-08-12", 6 | "updated_at": "2018-08-12", 7 | "publish_date": "2018-08-12", 8 | "author": { 9 | "name": "Danny Grander", 10 | "website": null, 11 | "username": "danny_grander" 12 | }, 13 | "module_name": "unzipper", 14 | "cves": [ 15 | "CVE-2018-1002203" 16 | ], 17 | "vulnerable_versions": "<0.8.13", 18 | "patched_versions": ">=0.8.13", 19 | "recommendation": "Update unzipper module to version >= 0.8.13", 20 | "references": [ 21 | "https://hackerone.com/reports/362119" 22 | ], 23 | "cvss_vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:L", 24 | "cvss_score": 8.2, 25 | "coordinating_vendor": null 26 | } 27 | -------------------------------------------------------------------------------- /vuln/npm/460.json: -------------------------------------------------------------------------------- 1 | { 2 | "id": 460, 3 | "title": "Privilege Escalation", 4 | "overview": "[flintcms] Account takeover due to blind MongoDB injection in password reset", 5 | "created_at": "2018-07-25", 6 | "updated_at": "2018-08-16", 7 | "publish_date": "2018-08-15", 8 | "author": { 9 | "name": "Benoit Côté-Jodoin", 10 | "website": "http://bcj.io", 11 | "username": "becojo" 12 | }, 13 | "module_name": "flintcms", 14 | "cves": [ 15 | "CVE-2018-3783" 16 | ], 17 | "vulnerable_versions": "<=1.1.9", 18 | "patched_versions": ">=1.1.10", 19 | "recommendation": "Update flintcms module to version >=1.1.0", 20 | "references": [ 21 | "https://hackerone.com/reports/386807" 22 | ], 23 | "cvss_vector": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H", 24 | "cvss_score": 9, 25 | "coordinating_vendor": null 26 | } 27 | -------------------------------------------------------------------------------- /vuln/npm/461.json: -------------------------------------------------------------------------------- 1 | { 2 | "id": 461, 3 | "title": "Code Injection", 4 | "overview": "Insecure implementation of deserialization in cryo", 5 | "created_at": "2018-05-11", 6 | "updated_at": "2018-06-19", 7 | "publish_date": "2018-06-19", 8 | "author": { 9 | "name": "Alexey Tyurin", 10 | "website": null, 11 | "username": "greendog" 12 | }, 13 | "module_name": "cryo", 14 | "cves": [ 15 | "CVE-2018-3784" 16 | ], 17 | "vulnerable_versions": "<=0.0.6", 18 | "patched_versions": null, 19 | "recommendation": "No fix is currently available for this vulnerability.\n\nIt is our recommendation to not install or use this module at this time.", 20 | "references": [ 21 | "https://hackerone.com/reports/350418" 22 | ], 23 | "cvss_vector": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:N/A:H", 24 | "cvss_score": 8.7, 25 | "coordinating_vendor": null 26 | } 27 | -------------------------------------------------------------------------------- /vuln/npm/463.json: -------------------------------------------------------------------------------- 1 | { 2 | "id": 463, 3 | "title": "Command Injection - Generic", 4 | "overview": "[egg-scripts] Command injection", 5 | "created_at": "2018-07-31", 6 | "updated_at": "2018-08-19", 7 | "publish_date": "2018-08-19", 8 | "author": { 9 | "name": "Douglas Hall", 10 | "website": null, 11 | "username": "douglas_hall" 12 | }, 13 | "module_name": "egg-scripts", 14 | "cves": [ 15 | "CVE-2018-3786" 16 | ], 17 | "vulnerable_versions": "<2.8.1", 18 | "patched_versions": ">=2.8.1", 19 | "recommendation": "Update egg-scripts module to version >=2.8.1", 20 | "references": [ 21 | "https://hackerone.com/reports/388936", 22 | "https://github.com/eggjs/egg-scripts/pull/26" 23 | ], 24 | "cvss_vector": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H", 25 | "cvss_score": 8.6, 26 | "coordinating_vendor": null 27 | } 28 | -------------------------------------------------------------------------------- /vuln/npm/464.json: -------------------------------------------------------------------------------- 1 | { 2 | "id": 464, 3 | "title": "Cross-site Scripting (XSS) - Generic", 4 | "overview": "[exceljs] Possible XSS via cell value when worksheet is displayed in browser", 5 | "created_at": "2018-05-24", 6 | "updated_at": "2018-09-01", 7 | "publish_date": "2018-09-01", 8 | "author": { 9 | "name": "bl4de", 10 | "website": "https://twitter.com/_bl4de", 11 | "username": "bl4de" 12 | }, 13 | "module_name": "exceljs", 14 | "cves": [ 15 | "CVE-2018-16459" 16 | ], 17 | "vulnerable_versions": "<1.6.0", 18 | "patched_versions": ">=1.6.0", 19 | "recommendation": "Update exceljs module to version >=1.6.0", 20 | "references": [ 21 | "https://hackerone.com/reports/356809" 22 | ], 23 | "cvss_vector": "CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:N/A:N", 24 | "cvss_score": 6.8, 25 | "coordinating_vendor": null 26 | } 27 | -------------------------------------------------------------------------------- /vuln/npm/465.json: -------------------------------------------------------------------------------- 1 | { 2 | "id": 465, 3 | "title": "Command Injection - Generic", 4 | "overview": "[samsung-remote] Command injection", 5 | "created_at": "2018-08-13", 6 | "updated_at": "2018-09-02", 7 | "publish_date": "2018-09-02", 8 | "author": { 9 | "name": "Douglas Hall", 10 | "website": null, 11 | "username": "douglas_hall" 12 | }, 13 | "module_name": "samsung-remote", 14 | "cves": [], 15 | "vulnerable_versions": "<1.3.5", 16 | "patched_versions": ">=1.3.5", 17 | "recommendation": "Update samsung-remote module to version >=1.3.5", 18 | "references": [ 19 | "https://hackerone.com/reports/394294" 20 | ], 21 | "cvss_vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", 22 | "cvss_score": 10, 23 | "coordinating_vendor": null 24 | } 25 | -------------------------------------------------------------------------------- /vuln/npm/467.json: -------------------------------------------------------------------------------- 1 | { 2 | "id": 467, 3 | "title": "Cross-site Scripting (XSS) - Stored", 4 | "overview": "[m-server] HTML Injection in filenames displayed as directory listing in the browser allows to embed iframe with malicious JavaScript code", 5 | "created_at": "2018-02-26", 6 | "updated_at": "2018-07-12", 7 | "publish_date": "2018-07-12", 8 | "author": { 9 | "name": "bl4de", 10 | "website": "https://twitter.com/_bl4de", 11 | "username": "bl4de" 12 | }, 13 | "module_name": "m-server", 14 | "cves": [], 15 | "vulnerable_versions": "<1.4.2", 16 | "patched_versions": ">=1.4.2", 17 | "recommendation": "Update m-server module to version 1.4.2", 18 | "references": [ 19 | "https://hackerone.com/reports/319794" 20 | ], 21 | "cvss_vector": "CVSS:3.0/AV:L/AC:L/PR:H/UI:R/S:U/C:H/I:N/A:N", 22 | "cvss_score": 6, 23 | "coordinating_vendor": null 24 | } 25 | -------------------------------------------------------------------------------- /vuln/npm/468.json: -------------------------------------------------------------------------------- 1 | { 2 | "id": 468, 3 | "title": "Path Traversal", 4 | "overview": "[m-server] Path Traversal allows to display content of arbitrary file(s) from the server", 5 | "created_at": "2018-02-26", 6 | "updated_at": "2018-07-20", 7 | "publish_date": "2018-07-12", 8 | "author": { 9 | "name": "bl4de", 10 | "website": "https://twitter.com/_bl4de", 11 | "username": "bl4de" 12 | }, 13 | "module_name": "m-server", 14 | "cves": [], 15 | "vulnerable_versions": "<=1.4.1", 16 | "patched_versions": ">=1.4.2", 17 | "recommendation": "Update m-server module to version >=1.4.2", 18 | "references": [ 19 | "https://hackerone.com/reports/319795" 20 | ], 21 | "cvss_vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", 22 | "cvss_score": 6.1, 23 | "coordinating_vendor": null 24 | } 25 | -------------------------------------------------------------------------------- /vuln/npm/469.json: -------------------------------------------------------------------------------- 1 | { 2 | "id": 469, 3 | "title": "Privilege Escalation", 4 | "overview": "Privilege escalation allows any user to add an administrator", 5 | "created_at": "2018-04-26", 6 | "updated_at": "2018-07-12", 7 | "publish_date": "2018-07-12", 8 | "author": { 9 | "name": "Patrick", 10 | "website": null, 11 | "username": null 12 | }, 13 | "module_name": "express-cart", 14 | "cves": [], 15 | "vulnerable_versions": "<=1.1.5", 16 | "patched_versions": ">1.1.5", 17 | "recommendation": "Update express-cart module to version >1.1.5", 18 | "references": [ 19 | "https://hackerone.com/reports/343626" 20 | ], 21 | "cvss_vector": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H", 22 | "cvss_score": 9.9, 23 | "coordinating_vendor": null 24 | } 25 | -------------------------------------------------------------------------------- /vuln/npm/470.json: -------------------------------------------------------------------------------- 1 | { 2 | "id": 470, 3 | "title": "Command Injection - Generic", 4 | "overview": "Command Injection is ps Package", 5 | "created_at": "2018-08-06", 6 | "updated_at": "2018-09-07", 7 | "publish_date": "2018-09-07", 8 | "author": { 9 | "name": "Cristian-Alexandru Staicu", 10 | "website": "https://semmle.com/security", 11 | "username": "cris_semmle" 12 | }, 13 | "module_name": "ps", 14 | "cves": [ 15 | "CVE-2018-16460" 16 | ], 17 | "vulnerable_versions": "<1.0.0", 18 | "patched_versions": ">=1.0.0", 19 | "recommendation": "Update ps module to version >=1.0.0", 20 | "references": [ 21 | "https://hackerone.com/reports/390848" 22 | ], 23 | "cvss_vector": "CVSS:3.0/AV:A/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", 24 | "cvss_score": 6.8, 25 | "coordinating_vendor": null 26 | } 27 | -------------------------------------------------------------------------------- /vuln/npm/471.json: -------------------------------------------------------------------------------- 1 | { 2 | "id": 471, 3 | "title": "Command Injection - Generic", 4 | "overview": "[ascii-art] Command injection", 5 | "created_at": "2018-08-05", 6 | "updated_at": "2018-09-08", 7 | "publish_date": "2018-09-08", 8 | "author": { 9 | "name": "Douglas Hall", 10 | "website": null, 11 | "username": "douglas_hall" 12 | }, 13 | "module_name": "ascii-art", 14 | "cves": [], 15 | "vulnerable_versions": "<1.4.4", 16 | "patched_versions": ">=1.4.4", 17 | "recommendation": "Update ascii-art module to version >=1.4.4", 18 | "references": [ 19 | "https://hackerone.com/reports/390631" 20 | ], 21 | "cvss_vector": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H", 22 | "cvss_score": 8.6, 23 | "coordinating_vendor": null 24 | } 25 | -------------------------------------------------------------------------------- /vuln/npm/472.json: -------------------------------------------------------------------------------- 1 | { 2 | "id": 472, 3 | "title": "NoSQL injection on express-cart", 4 | "overview": "[express-cart] Customer and admin email enumeration through MongoDB injection", 5 | "created_at": "2018-08-20", 6 | "updated_at": "2018-09-10", 7 | "publish_date": "1970-01-01", 8 | "author": { 9 | "name": "Benoit Côté-Jodoin", 10 | "website": "http://bcj.io", 11 | "username": "becojo" 12 | }, 13 | "module_name": "express-cart", 14 | "cves": [], 15 | "vulnerable_versions": "<1.1.8", 16 | "patched_versions": ">=1.1.8", 17 | "recommendation": "Update express-cart module to version >=1.1.8", 18 | "references": [ 19 | "https://hackerone.com/reports/397445" 20 | ], 21 | "cvss_vector": "CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:N", 22 | "cvss_score": 8.2, 23 | "coordinating_vendor": null 24 | } 25 | -------------------------------------------------------------------------------- /vuln/npm/473.json: -------------------------------------------------------------------------------- 1 | { 2 | "id": 473, 3 | "title": "Arbitrary Code Injection", 4 | "overview": "Code Injection Vulnerability in morgan Package", 5 | "created_at": "2018-08-06", 6 | "updated_at": "2018-09-28", 7 | "publish_date": "2018-09-30", 8 | "author": { 9 | "name": "Cristian-Alexandru Staicu", 10 | "website": "https://semmle.com/security", 11 | "username": "cris_semmle" 12 | }, 13 | "module_name": "morgan", 14 | "cves": [], 15 | "vulnerable_versions": "<1.9.1", 16 | "patched_versions": ">=1.9.1", 17 | "recommendation": "Update morgan module to version >=1.9.1", 18 | "references": [ 19 | "https://hackerone.com/reports/390881" 20 | ], 21 | "cvss_vector": "CVSS:3.0/AV:A/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H", 22 | "cvss_score": 6.8, 23 | "coordinating_vendor": null 24 | } 25 | -------------------------------------------------------------------------------- /vuln/npm/474.json: -------------------------------------------------------------------------------- 1 | { 2 | "id": 474, 3 | "title": "Command Injection - Generic", 4 | "overview": "Command Injection Vulnerability in libnmap Package", 5 | "created_at": "2018-08-06", 6 | "updated_at": "2018-10-19", 7 | "publish_date": "2018-10-14", 8 | "author": { 9 | "name": "Cristian-Alexandru Staicu", 10 | "website": "https://semmle.com/security", 11 | "username": "cris_semmle" 12 | }, 13 | "module_name": "libnmap", 14 | "cves": [ 15 | "CVE-2018-16461" 16 | ], 17 | "vulnerable_versions": "<0.4.16", 18 | "patched_versions": ">=0.4.16", 19 | "recommendation": "Update libnmap module to version >=0.4.16", 20 | "references": [ 21 | "https://hackerone.com/reports/390865" 22 | ], 23 | "cvss_vector": "CVSS:3.0/AV:A/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", 24 | "cvss_score": 6.8, 25 | "coordinating_vendor": null 26 | } 27 | -------------------------------------------------------------------------------- /vuln/npm/475.json: -------------------------------------------------------------------------------- 1 | { 2 | "id": 475, 3 | "title": "Command Injection - Generic", 4 | "overview": "[apex-publish-static-files] Command Injection on connectString", 5 | "created_at": "2018-09-05", 6 | "updated_at": "2018-10-25", 7 | "publish_date": "2018-10-18", 8 | "author": { 9 | "name": "Abdillah Muhamad", 10 | "website": "https://abdilahrf.github.io", 11 | "username": "abdilahrf_" 12 | }, 13 | "module_name": "apex-publish-static-files", 14 | "cves": [ 15 | "CVE-2018-16462" 16 | ], 17 | "vulnerable_versions": "<=2.0.0", 18 | "patched_versions": ">=2.0.1", 19 | "recommendation": "Update apex-publish-static-files module to version >=2.0.1", 20 | "references": [ 21 | "https://hackerone.com/reports/405694" 22 | ], 23 | "cvss_vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", 24 | "cvss_score": 10, 25 | "coordinating_vendor": null 26 | } 27 | -------------------------------------------------------------------------------- /vuln/npm/476.json: -------------------------------------------------------------------------------- 1 | { 2 | "id": 476, 3 | "title": "Insufficient Entropy", 4 | "overview": "[cryptiles] randomDigits() method generates digits that lack a perfect distribution over enough attempts", 5 | "created_at": "2018-06-24", 6 | "updated_at": "2018-06-24", 7 | "publish_date": "2018-06-24", 8 | "author": { 9 | "name": "Microsoft Vulnerability Research", 10 | "website": "https://www.microsoft.com/en-us/msrc/msvr", 11 | "username": null 12 | }, 13 | "module_name": "cryptiles", 14 | "cves": [ 15 | "CVE-2018-1000620" 16 | ], 17 | "vulnerable_versions": ">=3.1.0 <4.1.2", 18 | "patched_versions": ">=4.1.2", 19 | "recommendation": "Update cryptiles module to version >=4.1.2", 20 | "references": [ 21 | "https://github.com/hapijs/cryptiles/issues/34" 22 | ], 23 | "cvss_vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", 24 | "cvss_score": 9.8, 25 | "coordinating_vendor": null 26 | } 27 | -------------------------------------------------------------------------------- /vuln/npm/478.json: -------------------------------------------------------------------------------- 1 | { 2 | "id": 478, 3 | "title": "Path Traversal", 4 | "overview": "[takeapeek] Path traversal allow to expose directory and files", 5 | "created_at": "2018-09-01", 6 | "updated_at": "2018-11-02", 7 | "publish_date": "2018-11-02", 8 | "author": { 9 | "name": "Abdillah Muhamad", 10 | "website": "https://abdilahrf.github.io", 11 | "username": "abdilahrf_" 12 | }, 13 | "module_name": "takeapeek", 14 | "cves": [ 15 | "CVE-2018-16473" 16 | ], 17 | "vulnerable_versions": "<=0.2.2", 18 | "patched_versions": null, 19 | "recommendation": "No fix is currently available for this vulnerability.\n\nIt is our recommendation to not install or use this module at this time.", 20 | "references": [ 21 | "https://hackerone.com/reports/403736" 22 | ], 23 | "cvss_vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N", 24 | "cvss_score": 8.6, 25 | "coordinating_vendor": null 26 | } 27 | -------------------------------------------------------------------------------- /vuln/npm/479.json: -------------------------------------------------------------------------------- 1 | { 2 | "id": 479, 3 | "title": "Cross-site Scripting (XSS) - Stored", 4 | "overview": "[tianma-static] Stored xss on filename", 5 | "created_at": "2018-09-01", 6 | "updated_at": "2018-11-02", 7 | "publish_date": "2018-11-02", 8 | "author": { 9 | "name": "Abdillah Muhamad", 10 | "website": "https://abdilahrf.github.io", 11 | "username": "abdilahrf_" 12 | }, 13 | "module_name": "tianma-static", 14 | "cves": [ 15 | "CVE-2018-16474" 16 | ], 17 | "vulnerable_versions": "<=1.0.4", 18 | "patched_versions": null, 19 | "recommendation": "No fix is currently available for this vulnerability.\n\nIt is our recommendation to not install or use this module at this time.", 20 | "references": [ 21 | "https://hackerone.com/reports/403692" 22 | ], 23 | "cvss_vector": "CVSS:3.0/AV:L/AC:L/PR:L/UI:R/S:C/C:H/I:L/A:N", 24 | "cvss_score": 6.7, 25 | "coordinating_vendor": null 26 | } 27 | -------------------------------------------------------------------------------- /vuln/npm/481.json: -------------------------------------------------------------------------------- 1 | { 2 | "id": 481, 3 | "title": "Path Traversal", 4 | "overview": "List any file in the folder by using path traversal", 5 | "created_at": "2018-09-01", 6 | "updated_at": "2018-11-23", 7 | "publish_date": "2018-11-23", 8 | "author": { 9 | "name": "~", 10 | "website": null, 11 | "username": "vulzzz" 12 | }, 13 | "module_name": "simplehttpserver", 14 | "cves": [ 15 | "CVE-2018-16478" 16 | ], 17 | "vulnerable_versions": "<=0.2.1", 18 | "patched_versions": null, 19 | "recommendation": "No fix is currently available for this vulnerability.\n\nIt is our recommendation to not install or use this module at this time.", 20 | "references": [ 21 | "https://hackerone.com/reports/403703" 22 | ], 23 | "cvss_vector": "CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:N", 24 | "cvss_score": 6.8, 25 | "coordinating_vendor": null 26 | } 27 | -------------------------------------------------------------------------------- /vuln/npm/484.json: -------------------------------------------------------------------------------- 1 | { 2 | "id": 484, 3 | "title": "Path Traversal", 4 | "overview": "[knightjs] Path Traversal allows to read content of arbitrary files", 5 | "created_at": "2018-09-01", 6 | "updated_at": "2018-11-02", 7 | "publish_date": "2018-11-02", 8 | "author": { 9 | "name": "Abdillah Muhamad", 10 | "website": "https://abdilahrf.github.io", 11 | "username": "abdilahrf_" 12 | }, 13 | "module_name": "knightjs", 14 | "cves": [ 15 | "CVE-2018-16475" 16 | ], 17 | "vulnerable_versions": "<=0.0.1", 18 | "patched_versions": null, 19 | "recommendation": "No fix is currently available for this vulnerability.\n\nIt is our recommendation to not install or use this module at this time.", 20 | "references": [ 21 | "https://hackerone.com/reports/403707" 22 | ], 23 | "cvss_vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N", 24 | "cvss_score": 8.6, 25 | "coordinating_vendor": null 26 | } 27 | -------------------------------------------------------------------------------- /vuln/npm/486.json: -------------------------------------------------------------------------------- 1 | { 2 | "id": 486, 3 | "title": "Path Traversal", 4 | "overview": "[http-live-simulator] Path traversal vulnerability", 5 | "created_at": "2018-09-19", 6 | "updated_at": "2018-12-28", 7 | "publish_date": "2018-12-28", 8 | "author": { 9 | "name": "3la2kb", 10 | "website": null, 11 | "username": "3la2kb" 12 | }, 13 | "module_name": "http-live-simulator", 14 | "cves": [ 15 | "CVE-2018-16479" 16 | ], 17 | "vulnerable_versions": "<=1.0.6", 18 | "patched_versions": ">=1.0.7", 19 | "recommendation": "Update http-live-simulator module to version >=1.0.7", 20 | "references": [ 21 | "https://hackerone.com/reports/411405" 22 | ], 23 | "cvss_vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", 24 | "cvss_score": 7.5, 25 | "coordinating_vendor": null 26 | } 27 | -------------------------------------------------------------------------------- /vuln/npm/487.json: -------------------------------------------------------------------------------- 1 | { 2 | "id": 487, 3 | "title": "Arbitrary File Write Through Archive Extraction", 4 | "overview": "attackers can write arbitrary files when a malicious archive is extracted.", 5 | "created_at": "2019-01-03", 6 | "updated_at": "2019-01-24", 7 | "publish_date": "2019-01-24", 8 | "author": { 9 | "name": "Anonymous", 10 | "website": null, 11 | "username": null 12 | }, 13 | "module_name": "bower", 14 | "cves": [], 15 | "vulnerable_versions": "<1.8.7", 16 | "patched_versions": ">=1.8.7", 17 | "recommendation": "Update bower to latest patch version >=1.8.7", 18 | "references": [ 19 | "https://snyk.io/research/zip-slip-vulnerability" 20 | ], 21 | "coordinating_vendor": null, 22 | "cvss_score": null, 23 | "cvss_vector": null 24 | } 25 | -------------------------------------------------------------------------------- /vuln/npm/488.json: -------------------------------------------------------------------------------- 1 | { 2 | "id": 488, 3 | "title": "Arbitrary File Write Through Archive Extraction", 4 | "overview": "attackers can write arbitrary files when a malicious archive is extracted.", 5 | "created_at": "2019-01-03", 6 | "updated_at": "2019-01-24", 7 | "publish_date": "2019-01-24", 8 | "author": { 9 | "name": "Anonymous", 10 | "website": null, 11 | "username": null 12 | }, 13 | "module_name": "decompress-zip", 14 | "cves": [], 15 | "vulnerable_versions": "<0.2.2 || >=0.3.0 <0.3.2", 16 | "patched_versions": "~0.2.2 || >=0.3.2", 17 | "recommendation": "Update decompress-zip to either 0.2.2 or 0.3.2", 18 | "references": [ 19 | "https://snyk.io/research/zip-slip-vulnerability" 20 | ], 21 | "coordinating_vendor": null, 22 | "cvss_score": null, 23 | "cvss_vector": null 24 | } 25 | -------------------------------------------------------------------------------- /vuln/npm/489.json: -------------------------------------------------------------------------------- 1 | { 2 | "id": 489, 3 | "title": "Path Traversal", 4 | "overview": "[bower] Arbitrary File Write through improper validation of symlinks while package extraction", 5 | "created_at": "2019-01-01", 6 | "updated_at": "2019-02-01", 7 | "publish_date": "2019-01-26", 8 | "author": { 9 | "name": "Skynet", 10 | "website": null, 11 | "username": "skyn3t" 12 | }, 13 | "module_name": "bower", 14 | "cves": [ 15 | "CVE-2019-5484" 16 | ], 17 | "vulnerable_versions": "<1.8.8", 18 | "patched_versions": ">=1.8.8", 19 | "recommendation": "Update bower module to version >=1.8.8", 20 | "references": [ 21 | "https://hackerone.com/reports/473811" 22 | ], 23 | "cvss_vector": "CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H", 24 | "cvss_score": 8, 25 | "coordinating_vendor": null 26 | } 27 | -------------------------------------------------------------------------------- /vuln/npm/490.json: -------------------------------------------------------------------------------- 1 | { 2 | "id": 490, 3 | "title": "Denial of Service", 4 | "overview": "Prototype pollution attack in node.extend", 5 | "created_at": "2018-10-30", 6 | "updated_at": "2019-01-03", 7 | "publish_date": "2018-11-30", 8 | "author": { 9 | "name": "asgerf", 10 | "website": null, 11 | "username": "asgerf" 12 | }, 13 | "module_name": "node.extend", 14 | "cves": [ 15 | "CVE-2018-16491" 16 | ], 17 | "vulnerable_versions": "<2.0.1 || <1.1.7", 18 | "patched_versions": "^1.1.7 || >= 2.0.1", 19 | "recommendation": "Update node.extend module to version ^1.1.7 || >= 2.0.1", 20 | "references": [ 21 | "https://hackerone.com/reports/430831" 22 | ], 23 | "cvss_vector": "CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N", 24 | "cvss_score": 5.7, 25 | "coordinating_vendor": null 26 | } 27 | -------------------------------------------------------------------------------- /vuln/npm/491.json: -------------------------------------------------------------------------------- 1 | { 2 | "id": 491, 3 | "title": "Denial of Service", 4 | "overview": "Prototype Pollution Vulnerability in mpath Package", 5 | "created_at": "2018-08-06", 6 | "updated_at": "2019-01-03", 7 | "publish_date": "2018-11-30", 8 | "author": { 9 | "name": "Cristian-Alexandru Staicu", 10 | "website": "https://semmle.com/security", 11 | "username": "cris_semmle" 12 | }, 13 | "module_name": "mpath", 14 | "cves": [ 15 | "CVE-2018-16490" 16 | ], 17 | "vulnerable_versions": "<0.5.1", 18 | "patched_versions": ">=0.5.1", 19 | "recommendation": "Update mpath module to version >=0.5.1", 20 | "references": [ 21 | "https://hackerone.com/reports/390860" 22 | ], 23 | "cvss_vector": "CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:L", 24 | "cvss_score": 7.6, 25 | "coordinating_vendor": null 26 | } 27 | -------------------------------------------------------------------------------- /vuln/npm/492.json: -------------------------------------------------------------------------------- 1 | { 2 | "id": 492, 3 | "title": "Denial of Service", 4 | "overview": "Prototype pollution attack in just-extend", 5 | "created_at": "2018-10-29", 6 | "updated_at": "2019-01-03", 7 | "publish_date": "2018-11-29", 8 | "author": { 9 | "name": "asgerf", 10 | "website": null, 11 | "username": "asgerf" 12 | }, 13 | "module_name": "just-extend", 14 | "cves": [ 15 | "CVE-2018-16489" 16 | ], 17 | "vulnerable_versions": "<4.0.0", 18 | "patched_versions": ">=4.0.0", 19 | "recommendation": "Update just-extend module to version >=4.0.0", 20 | "references": [ 21 | "https://hackerone.com/reports/430291" 22 | ], 23 | "cvss_vector": "CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N", 24 | "cvss_score": 5.7, 25 | "coordinating_vendor": null 26 | } 27 | -------------------------------------------------------------------------------- /vuln/npm/493.json: -------------------------------------------------------------------------------- 1 | { 2 | "id": 493, 3 | "title": "Denial of Service", 4 | "overview": "Prototype pollution attack (lodash / constructor.prototype)", 5 | "created_at": "2018-07-12", 6 | "updated_at": "2019-01-03", 7 | "publish_date": "2018-10-30", 8 | "author": { 9 | "name": "asgerf", 10 | "website": null, 11 | "username": "asgerf" 12 | }, 13 | "module_name": "lodash", 14 | "cves": [ 15 | "CVE-2018-16487" 16 | ], 17 | "vulnerable_versions": "<4.17.11", 18 | "patched_versions": ">=4.17.11", 19 | "recommendation": "Update lodash module to version >=4.17.11", 20 | "references": [ 21 | "https://hackerone.com/reports/380873" 22 | ], 23 | "cvss_vector": "CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N", 24 | "cvss_score": 7.0, 25 | "coordinating_vendor": null 26 | } 27 | -------------------------------------------------------------------------------- /vuln/npm/494.json: -------------------------------------------------------------------------------- 1 | { 2 | "id": 494, 3 | "title": "Denial of Service", 4 | "overview": "Prototype pollution attack (defaults-deep / constructor.prototype)", 5 | "created_at": "2018-07-12", 6 | "updated_at": "2019-01-03", 7 | "publish_date": "2018-09-28", 8 | "author": { 9 | "name": "asgerf", 10 | "website": null, 11 | "username": "asgerf" 12 | }, 13 | "module_name": "defaults-deep", 14 | "cves": [ 15 | "CVE-2018-16486" 16 | ], 17 | "vulnerable_versions": "<=0.2.4", 18 | "patched_versions": null, 19 | "recommendation": "No fix is currently available for this vulnerability.\n\nIt is our recommendation to not install or use this module at this time.", 20 | "references": [ 21 | "https://hackerone.com/reports/380878" 22 | ], 23 | "cvss_vector": "CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N", 24 | "cvss_score": 6.1, 25 | "coordinating_vendor": null 26 | } 27 | -------------------------------------------------------------------------------- /vuln/npm/496.json: -------------------------------------------------------------------------------- 1 | { 2 | "id": 496, 3 | "title": "Modification of Assumed-Immutable Data (MAID)", 4 | "overview": "Prototype pollution attack through jQuery $.extend", 5 | "created_at": "2018-12-03", 6 | "updated_at": "2019-04-02", 7 | "publish_date": "2019-04-02", 8 | "author": { 9 | "name": "Semmle Security Research Team", 10 | "website": "https://lgtm.com/security", 11 | "username": "asgerf" 12 | }, 13 | "module_name": "jQuery", 14 | "cves": [ 15 | "CVE-2019-5428", 16 | "CVE-2019-11358" 17 | ], 18 | "vulnerable_versions": "<3.4.0", 19 | "patched_versions": ">=3.4.0", 20 | "recommendation": "Upgrade to 3.4.0 or higheer", 21 | "references": [ 22 | "https://hackerone.com/reports/454365" 23 | ], 24 | "cvss_vector": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L", 25 | "cvss_score": 5.6, 26 | "coordinating_vendor": null 27 | } 28 | -------------------------------------------------------------------------------- /vuln/npm/497.json: -------------------------------------------------------------------------------- 1 | { 2 | "id": 497, 3 | "title": "Cross-site Scripting (XSS) - Generic", 4 | "overview": "[harp] Unsafe rendering of Markdown files", 5 | "created_at": "2018-12-02", 6 | "updated_at": "2019-04-06", 7 | "publish_date": "2019-04-06", 8 | "author": { 9 | "name": "Skynet", 10 | "website": null, 11 | "username": "skyn3t" 12 | }, 13 | "module_name": "harp", 14 | "cves": [], 15 | "vulnerable_versions": "<=0.29.0", 16 | "patched_versions": null, 17 | "recommendation": "No fix is currently available for this vulnerability.\n\nIt is our recommendation to not install or use this module at this time.", 18 | "references": [ 19 | "https://hackerone.com/reports/453795" 20 | ], 21 | "cvss_vector": "CVSS:3.0/AV:L/AC:H/PR:L/UI:R/S:U/C:L/I:L/A:N", 22 | "cvss_score": 3.3, 23 | "coordinating_vendor": null 24 | } 25 | -------------------------------------------------------------------------------- /vuln/npm/498.json: -------------------------------------------------------------------------------- 1 | { 2 | "id": 498, 3 | "title": "Information Exposure Through Directory Listing", 4 | "overview": "[harp] File access even when they have been set to be ignored.", 5 | "created_at": "2018-12-02", 6 | "updated_at": "2019-04-06", 7 | "publish_date": "2019-04-06", 8 | "author": { 9 | "name": "Skynet", 10 | "website": null, 11 | "username": "skyn3t" 12 | }, 13 | "module_name": "harp", 14 | "cves": [ 15 | "CVE-2019-5437" 16 | ], 17 | "vulnerable_versions": "<=0.29.0", 18 | "patched_versions": null, 19 | "recommendation": "No fix is currently available for this vulnerability.\n\nIt is our recommendation to not install or use this module at this time.", 20 | "references": [ 21 | "https://hackerone.com/reports/453820" 22 | ], 23 | "cvss_vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", 24 | "cvss_score": 5.3, 25 | "coordinating_vendor": null 26 | } 27 | -------------------------------------------------------------------------------- /vuln/npm/499.json: -------------------------------------------------------------------------------- 1 | { 2 | "id": 499, 3 | "title": "Path Traversal", 4 | "overview": "[harp] Path traversal using symlink", 5 | "created_at": "2019-04-06", 6 | "updated_at": "2019-04-09", 7 | "publish_date": "2019-04-09", 8 | "author": { 9 | "name": "Skynet", 10 | "website": null, 11 | "username": "skyn3t" 12 | }, 13 | "module_name": "harp", 14 | "cves": [ 15 | "CVE-2019-5438" 16 | ], 17 | "vulnerable_versions": "<=0.30.0", 18 | "patched_versions": null, 19 | "recommendation": "No fix is currently available for this vulnerability.\n\nIt is our recommendation to not install or use this module at this time.", 20 | "references": [ 21 | "https://hackerone.com/reports/530289" 22 | ], 23 | "cvss_vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", 24 | "cvss_score": 5.3, 25 | "coordinating_vendor": null 26 | } 27 | -------------------------------------------------------------------------------- /vuln/npm/501.json: -------------------------------------------------------------------------------- 1 | { 2 | "id": 501, 3 | "title": "Information Exposure Through an Error Message", 4 | "overview": "environment variable leakage in error reporting", 5 | "created_at": "2019-04-04", 6 | "updated_at": "2019-09-03", 7 | "publish_date": "2019-09-03", 8 | "author": { 9 | "name": "Matteo Collina", 10 | "website": null, 11 | "username": "mcollina" 12 | }, 13 | "module_name": "seneca", 14 | "cves": [ 15 | "CVE-2019-5483" 16 | ], 17 | "vulnerable_versions": "<3.9.0", 18 | "patched_versions": ">=3.9.0", 19 | "recommendation": "Update seneca module to version >=3.9.0", 20 | "references": [ 21 | "https://hackerone.com/reports/526258" 22 | ], 23 | "cvss_vector": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N", 24 | "cvss_score": 3.3, 25 | "coordinating_vendor": null 26 | } 27 | -------------------------------------------------------------------------------- /vuln/npm/502.json: -------------------------------------------------------------------------------- 1 | { 2 | "id": 502, 3 | "title": "OS Command Injection", 4 | "overview": "gitlabhook OS Command Injection", 5 | "created_at": "2019-08-31", 6 | "updated_at": "2019-09-13", 7 | "publish_date": "2019-09-13", 8 | "author": { 9 | "name": "garumpage", 10 | "website": null, 11 | "username": "garumpage" 12 | }, 13 | "module_name": "gitlabhook", 14 | "cves": [ 15 | "CVE-2019-5485" 16 | ], 17 | "vulnerable_versions": "*", 18 | "patched_versions": null, 19 | "recommendation": "No fix is currently available for this vulnerability.\n\nIt is our recommendation to not install or use this module at this time.", 20 | "references": [ 21 | "https://hackerone.com/reports/685447" 22 | ], 23 | "cvss_vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", 24 | "cvss_score": 10, 25 | "coordinating_vendor": null 26 | } 27 | -------------------------------------------------------------------------------- /vuln/npm/503.json: -------------------------------------------------------------------------------- 1 | { 2 | "id": 503, 3 | "title": "Cross-site Scripting (XSS) - Stored", 4 | "overview": "[http_server] Stored XSS in the filename when directories listing", 5 | "created_at": "2019-05-12", 6 | "updated_at": "2019-09-13", 7 | "publish_date": "2019-09-13", 8 | "author": { 9 | "name": "An Nguyen", 10 | "website": null, 11 | "username": "lightangel1412" 12 | }, 13 | "module_name": "http_server", 14 | "cves": [], 15 | "vulnerable_versions": "*", 16 | "patched_versions": null, 17 | "recommendation": "No fix is currently available for this vulnerability.\n\nIt is our recommendation to not install or use this module at this time.", 18 | "references": [ 19 | "https://hackerone.com/reports/578138" 20 | ], 21 | "cvss_vector": "CVSS:3.0/AV:L/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N", 22 | "cvss_score": 3.9, 23 | "coordinating_vendor": null 24 | } 25 | -------------------------------------------------------------------------------- /vuln/npm/504.json: -------------------------------------------------------------------------------- 1 | { 2 | "id": 504, 3 | "title": "Path Traversal", 4 | "overview": "Path traversal using symlink", 5 | "created_at": "2019-09-16", 6 | "updated_at": "2019-10-07", 7 | "publish_date": "2019-10-07", 8 | "author": { 9 | "name": "0xChe", 10 | "website": null, 11 | "username": "0xche" 12 | }, 13 | "module_name": "statics-server", 14 | "cves": [ 15 | "CVE-2019-15596" 16 | ], 17 | "vulnerable_versions": "*", 18 | "patched_versions": null, 19 | "recommendation": "No fix is currently available for this vulnerability.\n\nIt is our recommendation to not install or use this module at this time.", 20 | "references": [ 21 | "https://hackerone.com/reports/695416" 22 | ], 23 | "cvss_vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:U/A:U", 24 | "cvss_score": 7.5, 25 | "coordinating_vendor": null 26 | } 27 | -------------------------------------------------------------------------------- /vuln/npm/505.json: -------------------------------------------------------------------------------- 1 | { 2 | "id": 505, 3 | "title": "Man-in-the-Middle", 4 | "overview": "[https-proxy-agent] Socket returned without TLS upgrade on non-200 CONNECT response, allowing request data to be sent over unencrypted connection", 5 | "created_at": "2019-04-17", 6 | "updated_at": "2019-10-07", 7 | "publish_date": "2019-09-25", 8 | "author": { 9 | "name": "Kris Adler", 10 | "website": null, 11 | "username": "kadler15" 12 | }, 13 | "module_name": "https-proxy-agent", 14 | "cves": [], 15 | "vulnerable_versions": "<2.2.3", 16 | "patched_versions": ">=2.2.3", 17 | "recommendation": "Update https-proxy-agent module to version >=2.2.3", 18 | "references": [ 19 | "https://hackerone.com/reports/541502" 20 | ], 21 | "cvss_vector": "CVSS:3.0/AV:A/AC:H/PR:N/UI:N/S:C/C:H/I:N/A:N", 22 | "cvss_score": 6.1, 23 | "coordinating_vendor": null 24 | } 25 | -------------------------------------------------------------------------------- /vuln/npm/506.json: -------------------------------------------------------------------------------- 1 | { 2 | "id": 506, 3 | "title": "Code Injection", 4 | "overview": "[node-df] RCE via insecure command concatenation", 5 | "created_at": "2019-09-28", 6 | "updated_at": "2019-12-04", 7 | "publish_date": "2019-12-04", 8 | "author": { 9 | "name": "Michele Romano", 10 | "website": "https://mik317.github.io", 11 | "username": "mik317" 12 | }, 13 | "module_name": "node-df", 14 | "cves": [ 15 | "CVE-2019-15597" 16 | ], 17 | "vulnerable_versions": "*", 18 | "patched_versions": null, 19 | "recommendation": "No fix is currently available for this vulnerability.\n\nIt is our recommendation to not install or use this module at this time.", 20 | "references": [ 21 | "https://hackerone.com/reports/703412" 22 | ], 23 | "cvss_vector": "CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", 24 | "cvss_score": 8.4, 25 | "coordinating_vendor": null 26 | } 27 | -------------------------------------------------------------------------------- /vuln/npm/507.json: -------------------------------------------------------------------------------- 1 | { 2 | "id": 507, 3 | "title": "Code Injection", 4 | "overview": "[treekill] RCE via insecure command concatenation (only Windows)", 5 | "created_at": "2019-09-28", 6 | "updated_at": "2019-12-04", 7 | "publish_date": "2019-12-04", 8 | "author": { 9 | "name": "Michele Romano", 10 | "website": "https://mik317.github.io", 11 | "username": "mik317" 12 | }, 13 | "module_name": "treekill", 14 | "cves": [ 15 | "CVE-2019-15598" 16 | ], 17 | "vulnerable_versions": "*", 18 | "patched_versions": null, 19 | "recommendation": "No fix is currently available for this vulnerability.\n\nIt is our recommendation to not install or use this module at this time.", 20 | "references": [ 21 | "https://hackerone.com/reports/703415" 22 | ], 23 | "cvss_vector": "CVSS:3.0/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H", 24 | "cvss_score": 7.3, 25 | "coordinating_vendor": null 26 | } 27 | -------------------------------------------------------------------------------- /vuln/npm/508.json: -------------------------------------------------------------------------------- 1 | { 2 | "id": 508, 3 | "title": "Code Injection", 4 | "overview": "[tree-kill] RCE via insecure command concatenation (only Windows)", 5 | "created_at": "2019-09-24", 6 | "updated_at": "2019-12-04", 7 | "publish_date": "2019-12-04", 8 | "author": { 9 | "name": "Michele Romano", 10 | "website": "https://mik317.github.io", 11 | "username": "mik317" 12 | }, 13 | "module_name": "tree-kill", 14 | "cves": [ 15 | "CVE-2019-15599" 16 | ], 17 | "vulnerable_versions": "<1.2.2", 18 | "patched_versions": ">=1.2.2", 19 | "recommendation": "Update to version 1.2.2 or greater", 20 | "references": [ 21 | "https://hackerone.com/reports/701183" 22 | ], 23 | "cvss_vector": "CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", 24 | "cvss_score": 7, 25 | "coordinating_vendor": null 26 | } 27 | -------------------------------------------------------------------------------- /vuln/npm/509.json: -------------------------------------------------------------------------------- 1 | { 2 | "id": 509, 3 | "title": "Path Traversal", 4 | "overview": "Path traversal in https://www.npmjs.com/package/http_server via symlink", 5 | "created_at": "2019-09-11", 6 | "updated_at": "2019-12-04", 7 | "publish_date": "1970-01-01", 8 | "author": { 9 | "name": "Vineet Kumar Pandey", 10 | "website": null, 11 | "username": "vineetpandey" 12 | }, 13 | "module_name": "http_server", 14 | "cves": [ 15 | "CVE-2019-15600" 16 | ], 17 | "vulnerable_versions": "*", 18 | "patched_versions": null, 19 | "recommendation": "No fix is currently available for this vulnerability.\n\nIt is our recommendation to not install or use this module at this time.", 20 | "references": [ 21 | "https://hackerone.com/reports/692262" 22 | ], 23 | "cvss_vector": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", 24 | "cvss_score": 5.5, 25 | "coordinating_vendor": null 26 | } 27 | -------------------------------------------------------------------------------- /vuln/npm/510.json: -------------------------------------------------------------------------------- 1 | { 2 | "id": 510, 3 | "title": "Cross-site Scripting (XSS) - Stored", 4 | "overview": "[fileview] Inadequate Output Encoding and Escaping ", 5 | "created_at": "2019-03-09", 6 | "updated_at": "2019-12-28", 7 | "publish_date": "2019-12-28", 8 | "author": { 9 | "name": "johns simon", 10 | "website": "http://johnssimon.com", 11 | "username": "johnssimon007" 12 | }, 13 | "module_name": "fileview", 14 | "cves": [ 15 | "CVE-2019-15602" 16 | ], 17 | "vulnerable_versions": "*", 18 | "patched_versions": null, 19 | "recommendation": "No fix is currently available for this vulnerability.\n\nIt is our recommendation to not install or use this module at this time.", 20 | "references": [ 21 | "https://hackerone.com/reports/507159" 22 | ], 23 | "cvss_vector": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N", 24 | "cvss_score": 7.1, 25 | "coordinating_vendor": null 26 | } 27 | -------------------------------------------------------------------------------- /vuln/npm/511.json: -------------------------------------------------------------------------------- 1 | { 2 | "id": 511, 3 | "title": "Cross-site Scripting (XSS) - Stored", 4 | "overview": "[seeftl] Stored XSS when directory listing via filename.", 5 | "created_at": "2019-08-01", 6 | "updated_at": "2019-12-31", 7 | "publish_date": "1970-01-01", 8 | "author": { 9 | "name": "Luiz Viana", 10 | "website": null, 11 | "username": "luizviana" 12 | }, 13 | "module_name": "seeftl", 14 | "cves": [ 15 | "CVE-2019-15603" 16 | ], 17 | "vulnerable_versions": "*", 18 | "patched_versions": null, 19 | "recommendation": "No fix is currently available for this vulnerability.\n\nIt is our recommendation to not install or use this module at this time.", 20 | "references": [ 21 | "https://hackerone.com/reports/665302" 22 | ], 23 | "cvss_vector": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N", 24 | "cvss_score": 4.4, 25 | "coordinating_vendor": null 26 | } 27 | -------------------------------------------------------------------------------- /vuln/npm/512.json: -------------------------------------------------------------------------------- 1 | { 2 | "id": 512, 3 | "title": "Code Injection", 4 | "overview": "[meta-git] RCE via insecure command formatting", 5 | "created_at": "2019-11-02", 6 | "updated_at": "2020-01-11", 7 | "publish_date": "2020-01-11", 8 | "author": { 9 | "name": "Michele Romano", 10 | "website": "https://mik317.github.io", 11 | "username": "mik317" 12 | }, 13 | "module_name": "meta-git", 14 | "cves": [], 15 | "vulnerable_versions": "*", 16 | "patched_versions": null, 17 | "recommendation": "No fix is currently available for this vulnerability.\n\nIt is our recommendation to not install or use this module at this time.", 18 | "references": [ 19 | "https://hackerone.com/reports/728040" 20 | ], 21 | "cvss_vector": "CVSS:3.0/AV:P/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", 22 | "cvss_score": 6.2, 23 | "coordinating_vendor": null 24 | } 25 | -------------------------------------------------------------------------------- /vuln/npm/513.json: -------------------------------------------------------------------------------- 1 | { 2 | "id": 513, 3 | "title": "Cross-site Scripting (XSS) - Stored", 4 | "overview": "Stored XSS (Hexo-admin plugin)", 5 | "created_at": "2019-10-17", 6 | "updated_at": "2020-01-11", 7 | "publish_date": "2020-01-11", 8 | "author": { 9 | "name": "chintan", 10 | "website": "https://twitter.com/@aye_robot", 11 | "username": "ayerobot" 12 | }, 13 | "module_name": "hexo-admin", 14 | "cves": [], 15 | "vulnerable_versions": "*", 16 | "patched_versions": null, 17 | "recommendation": "No fix is currently available for this vulnerability.\n\nIt is our recommendation to not install or use this module at this time.", 18 | "references": [ 19 | "https://hackerone.com/reports/716570" 20 | ], 21 | "cvss_vector": "CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:N", 22 | "cvss_score": 2.7, 23 | "coordinating_vendor": null 24 | } 25 | -------------------------------------------------------------------------------- /vuln/npm/514.json: -------------------------------------------------------------------------------- 1 | { 2 | "id": 514, 3 | "title": "Code Injection", 4 | "overview": "[npm-git-publish] RCE via insecure command formatting", 5 | "created_at": "2019-11-05", 6 | "updated_at": "2020-01-11", 7 | "publish_date": "2020-01-11", 8 | "author": { 9 | "name": "Michele Romano", 10 | "website": "https://mik317.github.io", 11 | "username": "mik317" 12 | }, 13 | "module_name": "npm-git-publish", 14 | "cves": [], 15 | "vulnerable_versions": "*", 16 | "patched_versions": null, 17 | "recommendation": "No fix is currently available for this vulnerability.\n\nIt is our recommendation to not install or use this module at this time.", 18 | "references": [ 19 | "https://hackerone.com/reports/730121" 20 | ], 21 | "cvss_vector": "CVSS:3.0/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", 22 | "cvss_score": 6.8, 23 | "coordinating_vendor": null 24 | } 25 | -------------------------------------------------------------------------------- /vuln/npm/516.json: -------------------------------------------------------------------------------- 1 | { 2 | "id": 516, 3 | "title": "Allocation of Resources Without Limits or Throttling", 4 | "overview": "Prototype pollution attack (lodash)", 5 | "created_at": "2019-10-11", 6 | "updated_at": "2020-07-13", 7 | "publish_date": "1970-01-01", 8 | "author": { 9 | "name": "posix", 10 | "website": null, 11 | "username": "posix" 12 | }, 13 | "module_name": "lodash", 14 | "cves": [], 15 | "vulnerable_versions": ">=4.17.15 <4.17.19", 16 | "patched_versions": ">=4.17.19", 17 | "recommendation": "Update to version 4.17.19 or greater", 18 | "references": [ 19 | "https://hackerone.com/reports/712065", 20 | "https://github.com/lodash/lodash/pull/4759", 21 | "https://www.npmjs.com/advisories/1523" 22 | ], 23 | "cvss_vector": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L", 24 | "cvss_score": 7.4, 25 | "coordinating_vendor": null 26 | } 27 | -------------------------------------------------------------------------------- /vuln/npm/517.json: -------------------------------------------------------------------------------- 1 | { 2 | "id": 517, 3 | "title": "Code Injection", 4 | "overview": "[git-promise] RCE via insecure command formatting", 5 | "created_at": "2019-11-02", 6 | "updated_at": "2020-04-25", 7 | "publish_date": "2020-04-25", 8 | "author": { 9 | "name": "Michele Romano", 10 | "website": "https://mik317.github.io", 11 | "username": "mik317" 12 | }, 13 | "module_name": "git-promise", 14 | "cves": [], 15 | "vulnerable_versions": "<1.0.0", 16 | "patched_versions": ">=1.0.0", 17 | "recommendation": "Update Other module module to version >=1.0.0", 18 | "references": [ 19 | "https://hackerone.com/reports/728047" 20 | ], 21 | "cvss_vector": "CVSS:3.0/AV:P/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", 22 | "cvss_score": 6.2, 23 | "coordinating_vendor": null 24 | } 25 | -------------------------------------------------------------------------------- /vuln/npm/518.json: -------------------------------------------------------------------------------- 1 | { 2 | "id": 518, 3 | "title": "Path Traversal", 4 | "overview": "[Total.js] Path traversal vulnerability allows to read files outside public directory", 5 | "created_at": "2019-11-30", 6 | "updated_at": "2020-04-25", 7 | "publish_date": "2020-04-25", 8 | "author": { 9 | "name": "Visat", 10 | "website": null, 11 | "username": "visat" 12 | }, 13 | "module_name": "total.js", 14 | "cves": [], 15 | "vulnerable_versions": "<3.4.0", 16 | "patched_versions": ">=3.4.0", 17 | "recommendation": "Update Other module module to version >=3.4.0", 18 | "references": [ 19 | "https://hackerone.com/reports/748765" 20 | ], 21 | "cvss_vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", 22 | "cvss_score": 5.3, 23 | "coordinating_vendor": null 24 | } 25 | -------------------------------------------------------------------------------- /vuln/npm/519.json: -------------------------------------------------------------------------------- 1 | { 2 | "id": 519, 3 | "title": "Denial of Service", 4 | "overview": "Crash Node.js process from handlebars using a small and simple source", 5 | "created_at": "2019-10-31", 6 | "updated_at": "2020-04-27", 7 | "publish_date": "2020-04-27", 8 | "author": { 9 | "name": "Alexander", 10 | "website": null, 11 | "username": "macasun" 12 | }, 13 | "module_name": "handlebars", 14 | "cves": [], 15 | "vulnerable_versions": "<4.6.0", 16 | "patched_versions": ">=4.6.0", 17 | "recommendation": "Update handlebars module to version >=4.6.0", 18 | "references": [ 19 | "https://hackerone.com/reports/726364" 20 | ], 21 | "cvss_vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N", 22 | "cvss_score": 6.5, 23 | "coordinating_vendor": null 24 | } 25 | -------------------------------------------------------------------------------- /vuln/npm/56.json: -------------------------------------------------------------------------------- 1 | { 2 | "id": 56, 3 | "created_at": "2015-11-03", 4 | "updated_at": "2016-04-25", 5 | "title": "Root Path Disclosure", 6 | "author": { 7 | "name": "Dinis Cruz", 8 | "website": null, 9 | "username": null 10 | }, 11 | "module_name": "send", 12 | "publish_date": "2015-11-03", 13 | "cves": [ 14 | "CVE-2015-8859" 15 | ], 16 | "vulnerable_versions": "<0.11.1", 17 | "patched_versions": ">=0.11.1", 18 | "overview": "The send module < 0.11.1 discloses the root path.", 19 | "recommendation": "Upgrade to send version 0.11.1 or greater.", 20 | "references": [ 21 | "https://github.com/pillarjs/send/pull/70", 22 | "https://github.com/expressjs/serve-static/blob/master/HISTORY.md#181--2015-01-20" 23 | ], 24 | "cvss_vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", 25 | "cvss_score": 5.3, 26 | "coordinating_vendor": "^Lift Security" 27 | } 28 | -------------------------------------------------------------------------------- /vuln/npm/57.json: -------------------------------------------------------------------------------- 1 | { 2 | "id": 57, 3 | "created_at": "2015-11-03", 4 | "updated_at": "2016-04-25", 5 | "title": "Symlink Arbitrary File Overwrite", 6 | "author": { 7 | "name": "Tim Cuthbertson", 8 | "website": null, 9 | "username": null 10 | }, 11 | "module_name": "tar", 12 | "publish_date": "2015-11-03", 13 | "cves": [ 14 | "CVE-2015-8860" 15 | ], 16 | "vulnerable_versions": "<2.0.0", 17 | "patched_versions": ">=2.0.0", 18 | "overview": "The `tar` module earlier than version 2.0.0 allow for archives to contain symbolic links that will overwrite targets outside the expected path for extraction.", 19 | "recommendation": "Update to a version 2.0.0 or greater", 20 | "references": [ 21 | "https://github.com/npm/npm/releases/tag/v2.7.5" 22 | ], 23 | "cvss_vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", 24 | "cvss_score": 7.5, 25 | "coordinating_vendor": "^Lift Security" 26 | } 27 | -------------------------------------------------------------------------------- /vuln/npm/60.json: -------------------------------------------------------------------------------- 1 | { 2 | "id": 60, 3 | "created_at": "2015-12-04", 4 | "updated_at": "2016-04-27", 5 | "title": "Authentication Weakness", 6 | "author": { 7 | "name": "Greg Meyer", 8 | "website": null, 9 | "username": null 10 | }, 11 | "module_name": "keystone", 12 | "publish_date": "2015-12-04", 13 | "cves": [], 14 | "vulnerable_versions": "<0.3.16", 15 | "patched_versions": ">=0.3.16", 16 | "overview": "Due to a bug in the the default sign in functionality, incomplete email addresses could be matched. A correct password is still required to complete sign in.", 17 | "recommendation": "Users of this module should update to version 0.3.16 or greater", 18 | "references": null, 19 | "cvss_vector": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N", 20 | "cvss_score": 4.3, 21 | "coordinating_vendor": "^Lift Security" 22 | } 23 | --------------------------------------------------------------------------------