The sync-exec module is used to simulate child_process.execSync in node versions <0.11.9. Sync-exec uses tmp directories as a buffer before returning values. Other users on the server have read access to the tmp directory, possibly allowing an attacker on the server to obtain confidential information from the buffer/tmp file, while it exists.
angular-http-server node module suffers from a Path Traversal vulnerability due to lack of validation of possibleFilename, which allows a malicious user to read content of any file with known path.
node-srv node module suffers from a Path Traversal vulnerability due to lack of validation of url, which allows a malicious user to read content of any file with known path.
serve node module before 6.4.9 suffers from a Path Traversal vulnerability due to not handling %2e (.) and %2f (/) and allowing them in paths, which allows a malicious user to view the contents of any directory with known path.
defaults-deep node module before 0.2.4 suffers from a Modification of Assumed-Immutable Data (MAID) vulnerability, which allows a malicious user to modify the prototype of "Object" via __proto__, causing the addition or modification of an existing property that will exist on all objects.
merge-deep node module before 3.0.1 suffers from a Modification of Assumed-Immutable Data (MAID) vulnerability, which allows a malicious user to modify the prototype of "Object" via __proto__, causing the addition or modification of an existing property that will exist on all objects.
A deficiency in the access control in module express-cart <=1.1.5 allows unprivileged users to add new users to the application as administrators.
Path Traversal vulnerability in module m-server <1.4.1 allows malicious user to access unauthorized content of any file in the directory tree e.g. /etc/passwd by appending slashes to the URL request.
restafary is a REpresentful State Transfer API for Creating, Reading, Using, Deleting files on a server from the web. Restafary before 1.6.1 is able to set up a root path, which should only allow it to run inside of that root path it specified.
glance node module before 3.0.4 suffers from a Path Traversal vulnerability due to lack of validation of path passed to it, which allows a malicious user to read content of any file with known path.
augustine node module suffers from a Path Traversal vulnerability due to lack of validation of url, which allows a malicious user to read content of any file with known path.
smb was a malicious module published with the intent to hijack environment variables. It has been unpublished by npm.
mssql.js was a malicious module published with the intent to hijack environment variables. It has been unpublished by npm.
The jquey module exfiltrates sensitive data such as a user's private SSH key and bash history to a third party server during installation.
node-openssl was a malicious module published with the intent to hijack environment variables. It has been unpublished by npm.
mongose was a malicious module published with the intent to hijack environment variables. It has been unpublished by npm.
mysqljs was a malicious module published with the intent to hijack environment variables. It has been unpublished by npm.
openssl.js was a malicious module published with the intent to hijack environment variables. It has been unpublished by npm.
noderequest was a malicious module published with the intent to hijack environment variables. It has been unpublished by npm.
nodecaffe was a malicious module published with the intent to hijack environment variables. It has been unpublished by npm.
nodemailer-js was a malicious module published with the intent to hijack environment variables. It has been unpublished by npm.
node-jose is a JavaScript implementation of the JSON Object Signing and Encryption (JOSE) for current web browsers and node.js-based servers. node-jose earlier than version 0.9.3 is vulnerable to an invalid curve attack. This allows an attacker to recover the private secret key when JWE with Key Agreement with Elliptic Curve Diffie-Hellman Ephemeral Static (ECDH-ES) is used.
`sqlserver` was a malicious module published with the intent to hijack environment variables. It has been unpublished by npm.
gruntcli was a malicious module published with the intent to hijack environment variables. It has been unpublished by npm.
`node-fabric` was a malicious module published with the intent to hijack environment variables. It has been unpublished by npm.
mssql-node was a malicious module published with the intent to hijack environment variables. It has been unpublished by npm.
`sqliter` was a malicious module published with the intent to hijack environment variables. It has been unpublished by npm.
The coffescript module exfiltrates sensitive data such as a user's private SSH key and bash history to a third party server during installation.
`jquery.js` was a malicious module published with the intent to hijack environment variables. It has been unpublished by npm.
cross-env.js was a malicious module published with the intent to hijack environment variables. It has been unpublished by npm.
aegir is a module to help automate JavaScript project management. Version 12.0.0 through and including 12.0.7 bundled and published to npm the user (that performed a aegir-release) GitHub token.
The coffe-script module exfiltrates sensitive data such as a user's private SSH key and bash history to a third party server during installation.
The cofeescript module exfiltrates sensitive data such as a user's private SSH key and bash history to a third party server during installation.
http-proxy.js was a malicious module published with the intent to hijack environment variables. It has been unpublished by npm.
There is an information leak vulnerability in Sprockets. Versions Affected: 4.0.0.beta7 and lower, 3.7.1 and lower, 2.12.4 and lower. Specially crafted requests can be used to access files that exists on the filesystem that is outside an application's root directory, when the Sprockets server is used in production. All users running an affected release should either upgrade or use one of the work arounds immediately.
The airbrake module 0.3.8 and earlier defaults to sending environment variables over HTTP. Environment variables can often times contain secret keys and other sensitive values. A malicious user could be on the same network as a regular user and intercept all the secret keys the user is sending. This goes against common best practice, which is to use HTTPS.
A security issue was found in bittorrent-dht before 5.1.3 that allows someone to send a specific series of messages to a listening peer and get it to reveal internal memory.
Hapi versions less than 11.0.0 implement CORS incorrectly and allowed for configurations that at best returned inconsistent headers and at worst allowed cross-origin activities that were expected to be forbidden. If the connection has CORS enabled but one route has it off, and the route is not GET, the OPTIONS prefetch request will return the default CORS headers and then the actual request will go through and return no CORS headers. This defeats the purpose of turning CORS on the route.
node-opencv was a malicious module published with the intent to hijack environment variables. It has been unpublished by npm.
babelcli was a malicious module published with the intent to hijack environment variables. It has been unpublished by npm.
`fabric-js` was a malicious module published with the intent to hijack environment variables. It has been unpublished by npm.
nodeffmpeg was a malicious module published with the intent to hijack environment variables. It has been unpublished by npm.
`sqlite.js` was a malicious module published with the intent to hijack environment variables. It has been unpublished by npm.
opencv.js was a malicious module published with the intent to hijack environment variables. It has been unpublished by npm.
`d3.js` was a malicious module published with the intent to hijack environment variables. It has been unpublished by npm.
tkinter was a malicious module published with the intent to hijack environment variables. It has been unpublished by npm.
nodesass was a malicious module published with the intent to hijack environment variables. It has been unpublished by npm.
ffmepg was a malicious module published with the intent to hijack environment variables. It has been unpublished by npm.
nodemssql was a malicious module published with the intent to hijack environment variables. It has been unpublished by npm.
shadowsock was a malicious module published with the intent to hijack environment variables. It has been unpublished by npm.