| CVE |
Vendors |
Products |
Updated |
CVSS v3.1 |
| The debug module is vulnerable to regular expression denial of service when untrusted user input is passed into the o formatter. It takes around 50k characters to block for 2 seconds making this a low severity issue. |
| method-override is a module used by the Express.js framework to let you use HTTP verbs such as PUT or DELETE in places where the client doesn't support it. method-override is vulnerable to a regular expression denial of service vulnerability when specially crafted input is passed in to be parsed via the X-HTTP-Method-Override header. |
| serverzyy is a static file server. serverzyy is vulnerable to a directory traversal issue, giving an attacker access to the filesystem by placing "../" in the url. |
| http_static_simple is an http server. http_static_simple is vulnerable to a directory traversal issue, giving an attacker access to the filesystem by placing "../" in the url. |
| goserv is an http server. goserv is vulnerable to a directory traversal issue, giving an attacker access to the filesystem by placing "../" in the url. |
| simple-npm-registry is a local npm package cache. simple-npm-registry is vulnerable to a directory traversal issue, giving an attacker access to the filesystem by placing "../" in the url. |
| unicorn-list is a web framework. unicorn-list is vulnerable to a directory traversal issue, giving an attacker access to the filesystem by placing "../" in the url. |
| exxxxxxxxxxx is an Http eX Frame Google Style JavaScript Guide. exxxxxxxxxxx is vulnerable to a directory traversal issue, giving an attacker access to the filesystem by placing "../" in the url. Accessible files are restricted to those with a file extension. Files with no extension such as /etc/passwd throw an error. |
| The HTTP client module superagent is vulnerable to ZIP bomb attacks. In a ZIP bomb attack, the HTTP server replies with a compressed response that becomes several magnitudes larger once uncompressed. If a client does not take special care when processing such responses, it may result in excessive CPU and/or memory consumption. An attacker might exploit such a weakness for a DoS attack. To exploit this the attacker must control the location (URL) that superagent makes a request to. |
| The module npm-script-demo opened a connection to a command and control server. It has been removed from the npm registry. |
| The module pandora-doomsday infects other modules. It's since been unpublished from the registry. |
| The module botbait is a tool to be used to track bot and automated tools usage with-in the npm ecosystem. botbait is known to record and track user information. The module tracks the following information. Source IP process.versions process.platform How the module was invoked (test, require, pre-install) |
| rtcmulticonnection-client is a signaling implementation for RTCMultiConnection.js, a multi-session manager. rtcmulticonnection-client is vulnerable to a directory traversal issue, giving an attacker access to the filesystem by placing "../" in the url. |
| node-server-forfront is a simple static file server. node-server-forfront is vulnerable to a directory traversal issue, giving an attacker access to the filesystem by placing "../" in the url. |
| welcomyzt is a simple file server. welcomyzt is vulnerable to a directory traversal issue, giving an attacker access to the filesystem by placing "../" in the url. |
| cuciuci is a simple fileserver. cuciuci is vulnerable to a directory traversal issue, giving an attacker access to the filesystem by placing "../" in the url. |
| datachannel-client is a signaling implementation for DataChannel.js. datachannel-client is vulnerable to a directory traversal issue, giving an attacker access to the filesystem by placing "../" in the url. |
| liyujing is a static file server. liyujing is vulnerable to a directory traversal issue, giving an attacker access to the filesystem by placing "../" in the url. |
| Fresh is a module used by the Express.js framework for HTTP response freshness testing. It is vulnerable to a regular expression denial of service when it is passed specially crafted input to parse. This causes the event loop to be blocked causing a denial of service condition. |
| The forwarded module is used by the Express.js framework to handle the X-Forwarded-For header. It is vulnerable to a regular expression denial of service when it's passed specially crafted input to parse. This causes the event loop to be blocked causing a denial of service condition. |
