VYPR

Vendor CVEs

Hackerone

All CVEs

154 total · sorted by risk
  • CVE-2017-16048HigJun 4, 2018
    risk 0.49cvss 7.5epss 0.01

    `node-sqlite` was a malicious module published with the intent to hijack environment variables. It has been unpublished by npm.

  • CVE-2017-16045HigJun 4, 2018
    risk 0.49cvss 7.5epss 0.01

    `jquery.js` was a malicious module published with the intent to hijack environment variables. It has been unpublished by npm.

  • CVE-2017-16044HigJun 4, 2018
    risk 0.49cvss 7.5epss 0.01

    `d3.js` was a malicious module published with the intent to hijack environment variables. It has been unpublished by npm.

  • CVE-2017-16037HigJun 4, 2018
    risk 0.49cvss 7.5epss 0.02

    `gomeplus-h5-proxy` is vulnerable to a directory traversal issue, allowing attackers to access any file in the system by placing '../' in the URL.

  • CVE-2017-16013HigJun 4, 2018
    risk 0.49cvss 7.5epss 0.02

    hapi is a web and services application framework. When hapi >= 15.0.0 <= 16.1.0 encounters a malformed `accept-encoding` header an uncaught exception is thrown. This may cause hapi to crash or to hang the client connection until the timeout period is reached.

  • CVE-2016-10608HigJun 1, 2018
    risk 0.49cvss 7.5epss 0.02

    robot-js is a module for native system automation for node.js. robot-js downloads binary resources over HTTP, which leaves it vulnerable to MITM attacks. It may be possible to cause remote code execution (RCE) by swapping out the requested binary with an attacker controlled…

  • CVE-2016-10527HigMay 31, 2018
    risk 0.49cvss 7.5epss 0.02

    The riot-compiler version version 2.3.21 has an issue in a regex (Catastrophic Backtracking) thats make it unusable under certain conditions.

  • CVE-2016-10521HigMay 31, 2018
    risk 0.49cvss 7.5epss 0.01

    jshamcrest is vulnerable to regular expression denial of service (ReDoS) when certain types of user input is passed in to the emailAddress validator.

  • CVE-2014-10066HigMay 31, 2018
    risk 0.49cvss 7.5epss 0.02

    Versions less than 0.1.4 of the static file server module fancy-server are vulnerable to directory traversal. An attacker can provide input such as `../` to read files outside of the served directory.

  • CVE-2014-10064HigMay 31, 2018
    risk 0.49cvss 7.5epss 0.01

    The qs module before 1.0.0 does not have an option or default for specifying object depth and when parsing a string representing a deeply nested object will block the event loop for long periods of time. An attacker could leverage this to cause a temporary denial-of-service…

  • CVE-2018-3734HigMay 29, 2018
    risk 0.49cvss 7.5epss 0.02

    stattic node module suffers from a Path Traversal vulnerability due to lack of validation of path, which allows a malicious user to read content of any file with known path.

  • CVE-2017-16047HigMay 29, 2018
    risk 0.49cvss 7.5epss 0.01

    mysqljs was a malicious module published with the intent to hijack environment variables. It has been unpublished by npm.

  • CVE-2017-0901HigAug 31, 2017
    risk 0.47cvss 7.5epss 0.29

    RubyGems version 2.6.12 and earlier fails to validate specification names, allowing a maliciously crafted gem to potentially overwrite any file on the filesystem.

  • CVE-2016-10638HigJun 4, 2018
    risk 0.46cvss 8.1epss 0.02

    js-given is a JavaScript frontend to jgiven. js-given downloads binary resources over HTTP, which leaves it vulnerable to MITM attacks. It may be possible to cause remote code execution (RCE) by swapping out the requested binary with an attacker controlled binary if the attacker…

  • CVE-2016-10626HigJun 1, 2018
    risk 0.46cvss 8.1epss 0.02

    mystem3 is a NodeJS wrapper for the Yandex MyStem 3. mystem3 downloads binary resources over HTTP, which leaves it vulnerable to MITM attacks. It may be possible to cause remote code execution (RCE) by swapping out the requested binary with an attacker controlled binary if the…

  • CVE-2016-10588HigJun 1, 2018
    risk 0.46cvss 8.1epss 0.02

    nw is an installer for nw.js. nw downloads zipped resources over HTTP, It may be possible to cause remote code execution (RCE) by swapping out the requested zip file with an attacker controlled binary if the attacker is on the network or positioned in between the user and the…

  • CVE-2016-10582HigJun 1, 2018
    risk 0.46cvss 8.1epss 0.02

    closurecompiler is a Closure Compiler for node.js. closurecompiler downloads binary resources over HTTP, which leaves it vulnerable to MITM attacks. It may be possible to cause remote code execution (RCE) by swapping out the requested binary with an attacker controlled binary if…

  • CVE-2017-16003HigMay 29, 2018
    risk 0.46cvss 8.1epss 0.02

    windows-build-tools is a module for installing C++ Build Tools for Windows using npm. windows-build-tools versions below 1.0.0 download resources over HTTP, which leaves it vulnerable to MITM attacks. It may be possible to cause remote code execution (RCE) by swapping out the…

  • CVE-2016-10577HigMay 29, 2018
    risk 0.46cvss 8.1epss 0.02

    ibm_db is an asynchronous/synchronous interface for node.js to IBM DB2 and IBM Informix. ibm_db before 1.0.2 downloads binary resources over HTTP, which leaves it vulnerable to MITM attacks. It may be possible to cause remote code execution (RCE) by swapping out the requested…

  • CVE-2017-0902HigAug 31, 2017
    risk 0.46cvss 8.1epss 0.05

    RubyGems version 2.6.12 and earlier is vulnerable to a DNS hijacking vulnerability that allows a MITM attacker to force the RubyGems client to download and install gems from a server that the attacker controls.

  • CVE-2018-3714MedJun 7, 2018
    risk 0.43cvss 6.5epss 0.09

    node-srv node module suffers from a Path Traversal vulnerability due to lack of validation of url, which allows a malicious user to read content of any file with known path.

  • CVE-2018-3737HigJun 7, 2018
    risk 0.42cvss 7.5epss 0.02

    sshpk is vulnerable to ReDoS when parsing crafted invalid public keys.

  • CVE-2017-16138HigJun 7, 2018
    risk 0.42cvss 7.5epss 0.02

    The mime module < 1.4.1, 2.0.1, 2.0.2 is vulnerable to regular expression denial of service when a mime lookup is performed on untrusted user input.

  • CVE-2017-16098HigJun 7, 2018
    risk 0.42cvss 7.5epss 0.02

    charset 1.0.0 and below are vulnerable to regular expression denial of service. Input of around 50k characters is required for a slow down of around 2 seconds. Unless node was compiled using the -DHTTP_MAX_HEADER_SIZE= option the default header max length is 80kb, so the impact…

  • CVE-2017-16024MedJun 4, 2018
    risk 0.42cvss 6.5epss 0.03

    The sync-exec module is used to simulate child_process.execSync in node versions <0.11.9. Sync-exec uses tmp directories as a buffer before returning values. Other users on the server have read access to the tmp directory, possibly allowing an attacker on the server to obtain…

  • CVE-2017-16021MedJun 4, 2018
    risk 0.42cvss 6.5epss 0.01

    uri-js is a module that tries to fully implement RFC 3986. One of these features is validating whether or not a supplied URL is valid or not. To do this, uri-js uses a regular expression, This regular expression is vulnerable to redos. This causes the program to hang and the CPU…

  • CVE-2016-10518HigMay 31, 2018
    risk 0.42cvss 7.5epss 0.02

    A vulnerability was found in the ping functionality of the ws module before 1.0.0 which allowed clients to allocate memory by sending a ping frame. The ping functionality by default responds with a pong frame and the previously given payload of the ping frame. This is exactly…

  • CVE-2018-3733HigMay 29, 2018
    risk 0.42cvss 7.5epss 0.02

    crud-file-server node module before 0.9.0 suffers from a Path Traversal vulnerability due to incorrect validation of url, which allows a malicious user to read content of any file with known path.

  • CVE-2015-9242HigMay 29, 2018
    risk 0.42cvss 7.5epss 0.02

    Certain input strings when passed to new Date() or Date.parse() in ecstatic node module before 1.4.0 will cause v8 to raise an exception. This leads to a crash and denial of service in ecstatic when this input is passed into the server via the If-Modified-Since header.

  • CVE-2015-9241HigMay 29, 2018
    risk 0.42cvss 7.5epss 0.02

    Certain input passed into the If-Modified-Since or Last-Modified headers will cause an 'illegal access' exception to be raised. Instead of sending a HTTP 500 error back to the sender, hapi node module before 11.1.3 will continue to hold the socket open until timed out (default…

  • CVE-2014-10068HigMay 29, 2018
    risk 0.42cvss 7.5epss 0.02

    The inert directory handler in inert node module before 1.1.1 always allows files in hidden directories to be served, even when `showHidden` is false.

  • CVE-2017-16224MedJun 7, 2018
    risk 0.40cvss 6.1epss 0.01

    st is a module for serving static files. An attacker is able to craft a request that results in an HTTP 301 (redirect) to an entirely different domain. A request for: http://some.server.com//nodesecurity.org/%2e%2e would result in a 301 to //nodesecurity.org/%2e%2e which most…

  • CVE-2017-16043MedJun 4, 2018
    risk 0.40cvss 6.1epss 0.01

    Shout is an IRC client. Because the `/topic` command in messages is unescaped, attackers have the ability to inject HTML scripts that will run in the victim's browser. Affects shout >=0.44.0 <=0.49.3.

  • CVE-2017-16041MedJun 4, 2018
    risk 0.38cvss 5.9epss 0.01

    ikst versions before 1.1.2 download resources over HTTP, which leaves it vulnerable to MITM attacks.

  • CVE-2016-10530MedMay 31, 2018
    risk 0.38cvss 5.9epss 0.01

    The airbrake module 0.3.8 and earlier defaults to sending environment variables over HTTP. Environment variables can often times contain secret keys and other sensitive values. A malicious user could be on the same network as a regular user and intercept all the secret keys the…

  • CVE-2015-9243MedMay 29, 2018
    risk 0.38cvss 5.9epss 0.01

    When server level, connection level or route level CORS configurations in hapi node module before 11.1.4 are combined and when a higher level config included security restrictions (like origin), a higher level config that included security restrictions (like origin) would have…

  • CVE-2018-3718MedJun 7, 2018
    risk 0.35cvss 5.3epss 0.01

    serve node module suffers from Improper Handling of URL Encoding by permitting access to ignored files if a filename is URL encoded.

  • CVE-2018-3712MedJun 7, 2018
    risk 0.35cvss 6.5epss 0.02

    serve node module before 6.4.9 suffers from a Path Traversal vulnerability due to not handling %2e (.) and %2f (/) and allowing them in paths, which allows a malicious user to view the contents of any directory with known path.

  • CVE-2017-16222MedJun 7, 2018
    risk 0.35cvss 5.3epss 0.02

    elding is a simple web server. elding is vulnerable to a directory traversal issue, allowing an attacker to access the filesystem by placing "../" in the url. The files accessible, however, are limited to files with a file extension. Sending a GET request to…

  • CVE-2016-10543MedMay 31, 2018
    risk 0.35cvss 5.3epss 0.01

    call is an HTTP router that is primarily used by the hapi framework. There exists a bug in call versions 2.0.1-3.0.1 that does not validate empty parameters, which could result in invalid input bypassing the route validation rules.

  • CVE-2015-9236MedMay 31, 2018
    risk 0.35cvss 5.3epss 0.02

    Hapi versions less than 11.0.0 implement CORS incorrectly and allowed for configurations that at best returned inconsistent headers and at worst allowed cross-origin activities that were expected to be forbidden. If the connection has CORS enabled but one route has it off, and…

  • CVE-2018-3726MedJun 7, 2018
    risk 0.33cvss 6.1epss 0.01

    crud-file-server node module before 0.8.0 suffers from a Cross-Site Scripting vulnerability to a lack of validation of file names.

  • CVE-2017-16025MedJun 4, 2018
    risk 0.32cvss 5.9epss 0.02

    Nes is a websocket extension library for hapi. Hapi is a webserver framework. Versions below and including 6.4.0 have a denial of service vulnerability via an invalid Cookie header. This is only present when websocket authentication is set to `cookie`. Submitting an invalid…

  • CVE-2017-16007MedJun 4, 2018
    risk 0.31cvss 5.9epss 0.01

    node-jose is a JavaScript implementation of the JSON Object Signing and Encryption (JOSE) for current web browsers and node.js-based servers. node-jose earlier than version 0.9.3 is vulnerable to an invalid curve attack. This allows an attacker to recover the private secret key…

  • CVE-2016-10544MedMay 31, 2018
    risk 0.31cvss 5.9epss 0.01

    uws is a WebSocket server library. By sending a 256mb websocket message to a uws server instance with permessage-deflate enabled, there is a possibility used compression will shrink said 256mb down to less than 16mb of websocket payload which passes the length check of 16mb…

  • CVE-2016-10536MedMay 31, 2018
    risk 0.31cvss 5.9epss 0.01

    engine.io-client is the client for engine.io, the implementation of a transport-based cross-browser/cross-device bi-directional communication layer for Socket.IO. The vulnerability is related to the way that node.js handles the `rejectUnauthorized` setting. If the value is…

  • CVE-2016-10538LowMay 31, 2018
    risk 0.23cvss 3.5epss 0.01

    The package `node-cli` before 1.0.0 insecurely uses the lock_file and log_file. Both of these are temporary, but it allows the starting user to overwrite any file they have access to.

  • CVE-2016-10549MedMay 31, 2018
    risk 0.22cvss 4.4epss 0.01

    Sails is an MVC style framework for building realtime web applications. Version 0.12.7 and lower have an issue with the CORS configuration where the value of the origin header is reflected as the value for the Access-Control-Allow-Origin header. This would allow an attacker to…

  • CVE-2025-55127Nov 20, 2025
    risk 0.00cvss epss 0.00

    HackerOne community member Dao Hoang Anh (yoyomiski) has reported an improper neutralization of whitespace in the username when adding new users. A username with leading or trailing whitespace could be virtually indistinguishable from its legitimate counterpart when the username…

  • CVE-2017-16226CriJun 7, 2018
    risk 0.00cvss 9.8epss 0.04

    The static-eval module is intended to evaluate statically-analyzable expressions. In affected versions, untrusted user input is able to access the global function constructor, effectively allowing arbitrary code execution.