Vendor CVEs
Hackerone
All CVEs
154 total · sorted by risk| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2017-16048 | Hig | 0.49 | 7.5 | 0.01 | Jun 4, 2018 | `node-sqlite` was a malicious module published with the intent to hijack environment variables. It has been unpublished by npm. | ||
| CVE-2017-16045 | Hig | 0.49 | 7.5 | 0.01 | Jun 4, 2018 | `jquery.js` was a malicious module published with the intent to hijack environment variables. It has been unpublished by npm. | ||
| CVE-2017-16044 | Hig | 0.49 | 7.5 | 0.01 | Jun 4, 2018 | `d3.js` was a malicious module published with the intent to hijack environment variables. It has been unpublished by npm. | ||
| CVE-2017-16037 | Hig | 0.49 | 7.5 | 0.02 | Jun 4, 2018 | `gomeplus-h5-proxy` is vulnerable to a directory traversal issue, allowing attackers to access any file in the system by placing '../' in the URL. | ||
| CVE-2017-16013 | Hig | 0.49 | 7.5 | 0.02 | Jun 4, 2018 | hapi is a web and services application framework. When hapi >= 15.0.0 <= 16.1.0 encounters a malformed `accept-encoding` header an uncaught exception is thrown. This may cause hapi to crash or to hang the client connection until the timeout period is reached. | ||
| CVE-2016-10608 | Hig | 0.49 | 7.5 | 0.02 | Jun 1, 2018 | robot-js is a module for native system automation for node.js. robot-js downloads binary resources over HTTP, which leaves it vulnerable to MITM attacks. It may be possible to cause remote code execution (RCE) by swapping out the requested binary with an attacker controlled… | ||
| CVE-2016-10527 | Hig | 0.49 | 7.5 | 0.02 | May 31, 2018 | The riot-compiler version version 2.3.21 has an issue in a regex (Catastrophic Backtracking) thats make it unusable under certain conditions. | ||
| CVE-2016-10521 | Hig | 0.49 | 7.5 | 0.01 | May 31, 2018 | jshamcrest is vulnerable to regular expression denial of service (ReDoS) when certain types of user input is passed in to the emailAddress validator. | ||
| CVE-2014-10066 | Hig | 0.49 | 7.5 | 0.02 | May 31, 2018 | Versions less than 0.1.4 of the static file server module fancy-server are vulnerable to directory traversal. An attacker can provide input such as `../` to read files outside of the served directory. | ||
| CVE-2014-10064 | Hig | 0.49 | 7.5 | 0.01 | May 31, 2018 | The qs module before 1.0.0 does not have an option or default for specifying object depth and when parsing a string representing a deeply nested object will block the event loop for long periods of time. An attacker could leverage this to cause a temporary denial-of-service… | ||
| CVE-2018-3734 | Hig | 0.49 | 7.5 | 0.02 | May 29, 2018 | stattic node module suffers from a Path Traversal vulnerability due to lack of validation of path, which allows a malicious user to read content of any file with known path. | ||
| CVE-2017-16047 | Hig | 0.49 | 7.5 | 0.01 | May 29, 2018 | mysqljs was a malicious module published with the intent to hijack environment variables. It has been unpublished by npm. | ||
| CVE-2017-0901 | Hig | 0.47 | 7.5 | 0.29 | Aug 31, 2017 | RubyGems version 2.6.12 and earlier fails to validate specification names, allowing a maliciously crafted gem to potentially overwrite any file on the filesystem. | ||
| CVE-2016-10638 | Hig | 0.46 | 8.1 | 0.02 | Jun 4, 2018 | js-given is a JavaScript frontend to jgiven. js-given downloads binary resources over HTTP, which leaves it vulnerable to MITM attacks. It may be possible to cause remote code execution (RCE) by swapping out the requested binary with an attacker controlled binary if the attacker… | ||
| CVE-2016-10626 | Hig | 0.46 | 8.1 | 0.02 | Jun 1, 2018 | mystem3 is a NodeJS wrapper for the Yandex MyStem 3. mystem3 downloads binary resources over HTTP, which leaves it vulnerable to MITM attacks. It may be possible to cause remote code execution (RCE) by swapping out the requested binary with an attacker controlled binary if the… | ||
| CVE-2016-10588 | Hig | 0.46 | 8.1 | 0.02 | Jun 1, 2018 | nw is an installer for nw.js. nw downloads zipped resources over HTTP, It may be possible to cause remote code execution (RCE) by swapping out the requested zip file with an attacker controlled binary if the attacker is on the network or positioned in between the user and the… | ||
| CVE-2016-10582 | Hig | 0.46 | 8.1 | 0.02 | Jun 1, 2018 | closurecompiler is a Closure Compiler for node.js. closurecompiler downloads binary resources over HTTP, which leaves it vulnerable to MITM attacks. It may be possible to cause remote code execution (RCE) by swapping out the requested binary with an attacker controlled binary if… | ||
| CVE-2017-16003 | Hig | 0.46 | 8.1 | 0.02 | May 29, 2018 | windows-build-tools is a module for installing C++ Build Tools for Windows using npm. windows-build-tools versions below 1.0.0 download resources over HTTP, which leaves it vulnerable to MITM attacks. It may be possible to cause remote code execution (RCE) by swapping out the… | ||
| CVE-2016-10577 | Hig | 0.46 | 8.1 | 0.02 | May 29, 2018 | ibm_db is an asynchronous/synchronous interface for node.js to IBM DB2 and IBM Informix. ibm_db before 1.0.2 downloads binary resources over HTTP, which leaves it vulnerable to MITM attacks. It may be possible to cause remote code execution (RCE) by swapping out the requested… | ||
| CVE-2017-0902 | Hig | 0.46 | 8.1 | 0.05 | Aug 31, 2017 | RubyGems version 2.6.12 and earlier is vulnerable to a DNS hijacking vulnerability that allows a MITM attacker to force the RubyGems client to download and install gems from a server that the attacker controls. | ||
| CVE-2018-3714 | Med | 0.43 | 6.5 | 0.09 | Jun 7, 2018 | node-srv node module suffers from a Path Traversal vulnerability due to lack of validation of url, which allows a malicious user to read content of any file with known path. | ||
| CVE-2018-3737 | Hig | 0.42 | 7.5 | 0.02 | Jun 7, 2018 | sshpk is vulnerable to ReDoS when parsing crafted invalid public keys. | ||
| CVE-2017-16138 | Hig | 0.42 | 7.5 | 0.02 | Jun 7, 2018 | The mime module < 1.4.1, 2.0.1, 2.0.2 is vulnerable to regular expression denial of service when a mime lookup is performed on untrusted user input. | ||
| CVE-2017-16098 | Hig | 0.42 | 7.5 | 0.02 | Jun 7, 2018 | charset 1.0.0 and below are vulnerable to regular expression denial of service. Input of around 50k characters is required for a slow down of around 2 seconds. Unless node was compiled using the -DHTTP_MAX_HEADER_SIZE= option the default header max length is 80kb, so the impact… | ||
| CVE-2017-16024 | Med | 0.42 | 6.5 | 0.03 | Jun 4, 2018 | The sync-exec module is used to simulate child_process.execSync in node versions <0.11.9. Sync-exec uses tmp directories as a buffer before returning values. Other users on the server have read access to the tmp directory, possibly allowing an attacker on the server to obtain… | ||
| CVE-2017-16021 | Med | 0.42 | 6.5 | 0.01 | Jun 4, 2018 | uri-js is a module that tries to fully implement RFC 3986. One of these features is validating whether or not a supplied URL is valid or not. To do this, uri-js uses a regular expression, This regular expression is vulnerable to redos. This causes the program to hang and the CPU… | ||
| CVE-2016-10518 | Hig | 0.42 | 7.5 | 0.02 | May 31, 2018 | A vulnerability was found in the ping functionality of the ws module before 1.0.0 which allowed clients to allocate memory by sending a ping frame. The ping functionality by default responds with a pong frame and the previously given payload of the ping frame. This is exactly… | ||
| CVE-2018-3733 | Hig | 0.42 | 7.5 | 0.02 | May 29, 2018 | crud-file-server node module before 0.9.0 suffers from a Path Traversal vulnerability due to incorrect validation of url, which allows a malicious user to read content of any file with known path. | ||
| CVE-2015-9242 | Hig | 0.42 | 7.5 | 0.02 | May 29, 2018 | Certain input strings when passed to new Date() or Date.parse() in ecstatic node module before 1.4.0 will cause v8 to raise an exception. This leads to a crash and denial of service in ecstatic when this input is passed into the server via the If-Modified-Since header. | ||
| CVE-2015-9241 | Hig | 0.42 | 7.5 | 0.02 | May 29, 2018 | Certain input passed into the If-Modified-Since or Last-Modified headers will cause an 'illegal access' exception to be raised. Instead of sending a HTTP 500 error back to the sender, hapi node module before 11.1.3 will continue to hold the socket open until timed out (default… | ||
| CVE-2014-10068 | Hig | 0.42 | 7.5 | 0.02 | May 29, 2018 | The inert directory handler in inert node module before 1.1.1 always allows files in hidden directories to be served, even when `showHidden` is false. | ||
| CVE-2017-16224 | Med | 0.40 | 6.1 | 0.01 | Jun 7, 2018 | st is a module for serving static files. An attacker is able to craft a request that results in an HTTP 301 (redirect) to an entirely different domain. A request for: http://some.server.com//nodesecurity.org/%2e%2e would result in a 301 to //nodesecurity.org/%2e%2e which most… | ||
| CVE-2017-16043 | Med | 0.40 | 6.1 | 0.01 | Jun 4, 2018 | Shout is an IRC client. Because the `/topic` command in messages is unescaped, attackers have the ability to inject HTML scripts that will run in the victim's browser. Affects shout >=0.44.0 <=0.49.3. | ||
| CVE-2017-16041 | Med | 0.38 | 5.9 | 0.01 | Jun 4, 2018 | ikst versions before 1.1.2 download resources over HTTP, which leaves it vulnerable to MITM attacks. | ||
| CVE-2016-10530 | Med | 0.38 | 5.9 | 0.01 | May 31, 2018 | The airbrake module 0.3.8 and earlier defaults to sending environment variables over HTTP. Environment variables can often times contain secret keys and other sensitive values. A malicious user could be on the same network as a regular user and intercept all the secret keys the… | ||
| CVE-2015-9243 | Med | 0.38 | 5.9 | 0.01 | May 29, 2018 | When server level, connection level or route level CORS configurations in hapi node module before 11.1.4 are combined and when a higher level config included security restrictions (like origin), a higher level config that included security restrictions (like origin) would have… | ||
| CVE-2018-3718 | Med | 0.35 | 5.3 | 0.01 | Jun 7, 2018 | serve node module suffers from Improper Handling of URL Encoding by permitting access to ignored files if a filename is URL encoded. | ||
| CVE-2018-3712 | Med | 0.35 | 6.5 | 0.02 | Jun 7, 2018 | serve node module before 6.4.9 suffers from a Path Traversal vulnerability due to not handling %2e (.) and %2f (/) and allowing them in paths, which allows a malicious user to view the contents of any directory with known path. | ||
| CVE-2017-16222 | Med | 0.35 | 5.3 | 0.02 | Jun 7, 2018 | elding is a simple web server. elding is vulnerable to a directory traversal issue, allowing an attacker to access the filesystem by placing "../" in the url. The files accessible, however, are limited to files with a file extension. Sending a GET request to… | ||
| CVE-2016-10543 | Med | 0.35 | 5.3 | 0.01 | May 31, 2018 | call is an HTTP router that is primarily used by the hapi framework. There exists a bug in call versions 2.0.1-3.0.1 that does not validate empty parameters, which could result in invalid input bypassing the route validation rules. | ||
| CVE-2015-9236 | Med | 0.35 | 5.3 | 0.02 | May 31, 2018 | Hapi versions less than 11.0.0 implement CORS incorrectly and allowed for configurations that at best returned inconsistent headers and at worst allowed cross-origin activities that were expected to be forbidden. If the connection has CORS enabled but one route has it off, and… | ||
| CVE-2018-3726 | Med | 0.33 | 6.1 | 0.01 | Jun 7, 2018 | crud-file-server node module before 0.8.0 suffers from a Cross-Site Scripting vulnerability to a lack of validation of file names. | ||
| CVE-2017-16025 | Med | 0.32 | 5.9 | 0.02 | Jun 4, 2018 | Nes is a websocket extension library for hapi. Hapi is a webserver framework. Versions below and including 6.4.0 have a denial of service vulnerability via an invalid Cookie header. This is only present when websocket authentication is set to `cookie`. Submitting an invalid… | ||
| CVE-2017-16007 | Med | 0.31 | 5.9 | 0.01 | Jun 4, 2018 | node-jose is a JavaScript implementation of the JSON Object Signing and Encryption (JOSE) for current web browsers and node.js-based servers. node-jose earlier than version 0.9.3 is vulnerable to an invalid curve attack. This allows an attacker to recover the private secret key… | ||
| CVE-2016-10544 | Med | 0.31 | 5.9 | 0.01 | May 31, 2018 | uws is a WebSocket server library. By sending a 256mb websocket message to a uws server instance with permessage-deflate enabled, there is a possibility used compression will shrink said 256mb down to less than 16mb of websocket payload which passes the length check of 16mb… | ||
| CVE-2016-10536 | Med | 0.31 | 5.9 | 0.01 | May 31, 2018 | engine.io-client is the client for engine.io, the implementation of a transport-based cross-browser/cross-device bi-directional communication layer for Socket.IO. The vulnerability is related to the way that node.js handles the `rejectUnauthorized` setting. If the value is… | ||
| CVE-2016-10538 | Low | 0.23 | 3.5 | 0.01 | May 31, 2018 | The package `node-cli` before 1.0.0 insecurely uses the lock_file and log_file. Both of these are temporary, but it allows the starting user to overwrite any file they have access to. | ||
| CVE-2016-10549 | Med | 0.22 | 4.4 | 0.01 | May 31, 2018 | Sails is an MVC style framework for building realtime web applications. Version 0.12.7 and lower have an issue with the CORS configuration where the value of the origin header is reflected as the value for the Access-Control-Allow-Origin header. This would allow an attacker to… | ||
| CVE-2025-55127 | 0.00 | — | 0.00 | Nov 20, 2025 | HackerOne community member Dao Hoang Anh (yoyomiski) has reported an improper neutralization of whitespace in the username when adding new users. A username with leading or trailing whitespace could be virtually indistinguishable from its legitimate counterpart when the username… | |||
| CVE-2017-16226 | Cri | 0.00 | 9.8 | 0.04 | Jun 7, 2018 | The static-eval module is intended to evaluate statically-analyzable expressions. In affected versions, untrusted user input is able to access the global function constructor, effectively allowing arbitrary code execution. |
- risk 0.49cvss 7.5epss 0.01
`node-sqlite` was a malicious module published with the intent to hijack environment variables. It has been unpublished by npm.
- risk 0.49cvss 7.5epss 0.01
`jquery.js` was a malicious module published with the intent to hijack environment variables. It has been unpublished by npm.
- risk 0.49cvss 7.5epss 0.01
`d3.js` was a malicious module published with the intent to hijack environment variables. It has been unpublished by npm.
- risk 0.49cvss 7.5epss 0.02
`gomeplus-h5-proxy` is vulnerable to a directory traversal issue, allowing attackers to access any file in the system by placing '../' in the URL.
- risk 0.49cvss 7.5epss 0.02
hapi is a web and services application framework. When hapi >= 15.0.0 <= 16.1.0 encounters a malformed `accept-encoding` header an uncaught exception is thrown. This may cause hapi to crash or to hang the client connection until the timeout period is reached.
- risk 0.49cvss 7.5epss 0.02
robot-js is a module for native system automation for node.js. robot-js downloads binary resources over HTTP, which leaves it vulnerable to MITM attacks. It may be possible to cause remote code execution (RCE) by swapping out the requested binary with an attacker controlled…
- risk 0.49cvss 7.5epss 0.02
The riot-compiler version version 2.3.21 has an issue in a regex (Catastrophic Backtracking) thats make it unusable under certain conditions.
- risk 0.49cvss 7.5epss 0.01
jshamcrest is vulnerable to regular expression denial of service (ReDoS) when certain types of user input is passed in to the emailAddress validator.
- risk 0.49cvss 7.5epss 0.02
Versions less than 0.1.4 of the static file server module fancy-server are vulnerable to directory traversal. An attacker can provide input such as `../` to read files outside of the served directory.
- risk 0.49cvss 7.5epss 0.01
The qs module before 1.0.0 does not have an option or default for specifying object depth and when parsing a string representing a deeply nested object will block the event loop for long periods of time. An attacker could leverage this to cause a temporary denial-of-service…
- risk 0.49cvss 7.5epss 0.02
stattic node module suffers from a Path Traversal vulnerability due to lack of validation of path, which allows a malicious user to read content of any file with known path.
- risk 0.49cvss 7.5epss 0.01
mysqljs was a malicious module published with the intent to hijack environment variables. It has been unpublished by npm.
- risk 0.47cvss 7.5epss 0.29
RubyGems version 2.6.12 and earlier fails to validate specification names, allowing a maliciously crafted gem to potentially overwrite any file on the filesystem.
- risk 0.46cvss 8.1epss 0.02
js-given is a JavaScript frontend to jgiven. js-given downloads binary resources over HTTP, which leaves it vulnerable to MITM attacks. It may be possible to cause remote code execution (RCE) by swapping out the requested binary with an attacker controlled binary if the attacker…
- risk 0.46cvss 8.1epss 0.02
mystem3 is a NodeJS wrapper for the Yandex MyStem 3. mystem3 downloads binary resources over HTTP, which leaves it vulnerable to MITM attacks. It may be possible to cause remote code execution (RCE) by swapping out the requested binary with an attacker controlled binary if the…
- risk 0.46cvss 8.1epss 0.02
nw is an installer for nw.js. nw downloads zipped resources over HTTP, It may be possible to cause remote code execution (RCE) by swapping out the requested zip file with an attacker controlled binary if the attacker is on the network or positioned in between the user and the…
- risk 0.46cvss 8.1epss 0.02
closurecompiler is a Closure Compiler for node.js. closurecompiler downloads binary resources over HTTP, which leaves it vulnerable to MITM attacks. It may be possible to cause remote code execution (RCE) by swapping out the requested binary with an attacker controlled binary if…
- risk 0.46cvss 8.1epss 0.02
windows-build-tools is a module for installing C++ Build Tools for Windows using npm. windows-build-tools versions below 1.0.0 download resources over HTTP, which leaves it vulnerable to MITM attacks. It may be possible to cause remote code execution (RCE) by swapping out the…
- risk 0.46cvss 8.1epss 0.02
ibm_db is an asynchronous/synchronous interface for node.js to IBM DB2 and IBM Informix. ibm_db before 1.0.2 downloads binary resources over HTTP, which leaves it vulnerable to MITM attacks. It may be possible to cause remote code execution (RCE) by swapping out the requested…
- risk 0.46cvss 8.1epss 0.05
RubyGems version 2.6.12 and earlier is vulnerable to a DNS hijacking vulnerability that allows a MITM attacker to force the RubyGems client to download and install gems from a server that the attacker controls.
- risk 0.43cvss 6.5epss 0.09
node-srv node module suffers from a Path Traversal vulnerability due to lack of validation of url, which allows a malicious user to read content of any file with known path.
- risk 0.42cvss 7.5epss 0.02
sshpk is vulnerable to ReDoS when parsing crafted invalid public keys.
- risk 0.42cvss 7.5epss 0.02
The mime module < 1.4.1, 2.0.1, 2.0.2 is vulnerable to regular expression denial of service when a mime lookup is performed on untrusted user input.
- risk 0.42cvss 7.5epss 0.02
charset 1.0.0 and below are vulnerable to regular expression denial of service. Input of around 50k characters is required for a slow down of around 2 seconds. Unless node was compiled using the -DHTTP_MAX_HEADER_SIZE= option the default header max length is 80kb, so the impact…
- risk 0.42cvss 6.5epss 0.03
The sync-exec module is used to simulate child_process.execSync in node versions <0.11.9. Sync-exec uses tmp directories as a buffer before returning values. Other users on the server have read access to the tmp directory, possibly allowing an attacker on the server to obtain…
- risk 0.42cvss 6.5epss 0.01
uri-js is a module that tries to fully implement RFC 3986. One of these features is validating whether or not a supplied URL is valid or not. To do this, uri-js uses a regular expression, This regular expression is vulnerable to redos. This causes the program to hang and the CPU…
- risk 0.42cvss 7.5epss 0.02
A vulnerability was found in the ping functionality of the ws module before 1.0.0 which allowed clients to allocate memory by sending a ping frame. The ping functionality by default responds with a pong frame and the previously given payload of the ping frame. This is exactly…
- risk 0.42cvss 7.5epss 0.02
crud-file-server node module before 0.9.0 suffers from a Path Traversal vulnerability due to incorrect validation of url, which allows a malicious user to read content of any file with known path.
- risk 0.42cvss 7.5epss 0.02
Certain input strings when passed to new Date() or Date.parse() in ecstatic node module before 1.4.0 will cause v8 to raise an exception. This leads to a crash and denial of service in ecstatic when this input is passed into the server via the If-Modified-Since header.
- risk 0.42cvss 7.5epss 0.02
Certain input passed into the If-Modified-Since or Last-Modified headers will cause an 'illegal access' exception to be raised. Instead of sending a HTTP 500 error back to the sender, hapi node module before 11.1.3 will continue to hold the socket open until timed out (default…
- risk 0.42cvss 7.5epss 0.02
The inert directory handler in inert node module before 1.1.1 always allows files in hidden directories to be served, even when `showHidden` is false.
- risk 0.40cvss 6.1epss 0.01
st is a module for serving static files. An attacker is able to craft a request that results in an HTTP 301 (redirect) to an entirely different domain. A request for: http://some.server.com//nodesecurity.org/%2e%2e would result in a 301 to //nodesecurity.org/%2e%2e which most…
- risk 0.40cvss 6.1epss 0.01
Shout is an IRC client. Because the `/topic` command in messages is unescaped, attackers have the ability to inject HTML scripts that will run in the victim's browser. Affects shout >=0.44.0 <=0.49.3.
- risk 0.38cvss 5.9epss 0.01
ikst versions before 1.1.2 download resources over HTTP, which leaves it vulnerable to MITM attacks.
- risk 0.38cvss 5.9epss 0.01
The airbrake module 0.3.8 and earlier defaults to sending environment variables over HTTP. Environment variables can often times contain secret keys and other sensitive values. A malicious user could be on the same network as a regular user and intercept all the secret keys the…
- risk 0.38cvss 5.9epss 0.01
When server level, connection level or route level CORS configurations in hapi node module before 11.1.4 are combined and when a higher level config included security restrictions (like origin), a higher level config that included security restrictions (like origin) would have…
- risk 0.35cvss 5.3epss 0.01
serve node module suffers from Improper Handling of URL Encoding by permitting access to ignored files if a filename is URL encoded.
- risk 0.35cvss 6.5epss 0.02
serve node module before 6.4.9 suffers from a Path Traversal vulnerability due to not handling %2e (.) and %2f (/) and allowing them in paths, which allows a malicious user to view the contents of any directory with known path.
- risk 0.35cvss 5.3epss 0.02
elding is a simple web server. elding is vulnerable to a directory traversal issue, allowing an attacker to access the filesystem by placing "../" in the url. The files accessible, however, are limited to files with a file extension. Sending a GET request to…
- risk 0.35cvss 5.3epss 0.01
call is an HTTP router that is primarily used by the hapi framework. There exists a bug in call versions 2.0.1-3.0.1 that does not validate empty parameters, which could result in invalid input bypassing the route validation rules.
- risk 0.35cvss 5.3epss 0.02
Hapi versions less than 11.0.0 implement CORS incorrectly and allowed for configurations that at best returned inconsistent headers and at worst allowed cross-origin activities that were expected to be forbidden. If the connection has CORS enabled but one route has it off, and…
- risk 0.33cvss 6.1epss 0.01
crud-file-server node module before 0.8.0 suffers from a Cross-Site Scripting vulnerability to a lack of validation of file names.
- risk 0.32cvss 5.9epss 0.02
Nes is a websocket extension library for hapi. Hapi is a webserver framework. Versions below and including 6.4.0 have a denial of service vulnerability via an invalid Cookie header. This is only present when websocket authentication is set to `cookie`. Submitting an invalid…
- risk 0.31cvss 5.9epss 0.01
node-jose is a JavaScript implementation of the JSON Object Signing and Encryption (JOSE) for current web browsers and node.js-based servers. node-jose earlier than version 0.9.3 is vulnerable to an invalid curve attack. This allows an attacker to recover the private secret key…
- risk 0.31cvss 5.9epss 0.01
uws is a WebSocket server library. By sending a 256mb websocket message to a uws server instance with permessage-deflate enabled, there is a possibility used compression will shrink said 256mb down to less than 16mb of websocket payload which passes the length check of 16mb…
- risk 0.31cvss 5.9epss 0.01
engine.io-client is the client for engine.io, the implementation of a transport-based cross-browser/cross-device bi-directional communication layer for Socket.IO. The vulnerability is related to the way that node.js handles the `rejectUnauthorized` setting. If the value is…
- risk 0.23cvss 3.5epss 0.01
The package `node-cli` before 1.0.0 insecurely uses the lock_file and log_file. Both of these are temporary, but it allows the starting user to overwrite any file they have access to.
- risk 0.22cvss 4.4epss 0.01
Sails is an MVC style framework for building realtime web applications. Version 0.12.7 and lower have an issue with the CORS configuration where the value of the origin header is reflected as the value for the Access-Control-Allow-Origin header. This would allow an attacker to…
- CVE-2025-55127Nov 20, 2025risk 0.00cvss —epss 0.00
HackerOne community member Dao Hoang Anh (yoyomiski) has reported an improper neutralization of whitespace in the username when adding new users. A username with leading or trailing whitespace could be virtually indistinguishable from its legitimate counterpart when the username…
- risk 0.00cvss 9.8epss 0.04
The static-eval module is intended to evaluate statically-analyzable expressions. In affected versions, untrusted user input is able to access the global function constructor, effectively allowing arbitrary code execution.
Page 3 of 4