https://www.hackerone.com/ https://www.hackerone.com/terms
crud-file-server node module before 0.8.0 suffers from a Cross-Site Scripting vulnerability to a lack of validation of file names.
lab6.brit95 is a file server. lab6.brit95 is vulnerable to a directory traversal issue, giving an attacker access to the filesystem by placing "../" in the url.
yttivy is a static file server. yttivy is vulnerable to a directory traversal issue, giving an attacker access to the filesystem by placing "../" in the url.
lessindex is a static file server. lessindex is vulnerable to a directory traversal issue, giving an attacker access to the filesystem by placing "../" in the url.
sshpk is vulnerable to ReDoS when parsing crafted invalid public keys.
mixin-deep node module before 1.3.1 suffers from a Modification of Assumed-Immutable Data (MAID) vulnerability, which allows a malicious user to modify the prototype of "Object" via __proto__, causing the addition or modification of an existing property that will exist on all objects.
defaults-deep node module before 0.2.4 suffers from a Modification of Assumed-Immutable Data (MAID) vulnerability, which allows a malicious user to modify the prototype of "Object" via __proto__, causing the addition or modification of an existing property that will exist on all objects.
https-proxy-agent before 2.1.1 passes auth option to the Buffer constructor without proper sanitization, resulting in DoS and uninitialized memory leak in setups where an attacker could submit typed input to the 'auth' parameter (e.g. JSON).
quickserver is a simple static file server. quickserver is vulnerable to a directory traversal issue, giving an attacker access to the filesystem by placing "../" in the url.
sspa is a server dedicated to single-page apps. sspa is vulnerable to a directory traversal issue, giving an attacker access to the filesystem by placing "../" in the url.
cross-env.js was a malicious module published with the intent to hijack environment variables. It has been unpublished by npm.
resolve-path node module before 1.4.0 suffers from a Path Traversal vulnerability due to lack of validation of paths with certain special characters, which allows a malicious user to read content of any file with known path.
protobufjs is vulnerable to ReDoS when parsing crafted invalid .proto files.
serve node module before 6.4.9 suffers from a Path Traversal vulnerability due to not handling %2e (.) and %2f (/) and allowing them in paths, which allows a malicious user to view the contents of any directory with known path.
The safe-eval module describes itself as a safer version of eval. By accessing the object constructors, un-sanitized user input can access the entire standard library and effectively break out of the sandbox.
gruntcli was a malicious module published with the intent to hijack environment variables. It has been unpublished by npm.
jn_jj_server is a static file server. jn_jj_server is vulnerable to a directory traversal issue, giving an attacker access to the filesystem by placing "../" in the url.
node-simple-router is a minimalistic router for Node. node-simple-router is vulnerable to a directory traversal issue, giving an attacker access to the filesystem by placing "../" in the URL.
enserver is a simple web server. enserver is vulnerable to a directory traversal issue, giving an attacker access to the filesystem by placing "../" in the url.
mcstatic node module suffers from a Path Traversal vulnerability due to lack of validation of filePath, which allows a malicious user to read content of any file with known path.
bracket-template suffers from reflected XSS possible when variable passed via GET parameter is used in template
yzt is a simple file server. yzt is vulnerable to a directory traversal issue, giving an attacker access to the filesystem by placing "../" in the url.
looppake is a simple http server. looppake is vulnerable to a directory traversal issue, giving an attacker access to the filesystem by placing "../" in the url.
node-opensl was a malicious module published with the intent to hijack environment variables. It has been unpublished by npm.
tiny-http is a simple http server. tiny-http is vulnerable to a directory traversal issue, giving an attacker access to the filesystem by placing "../" in the url.
Fresh is a module used by the Express.js framework for HTTP response freshness testing. It is vulnerable to a regular expression denial of service when it is passed specially crafted input to parse. This causes the event loop to be blocked causing a denial of service condition.
myserver.alexcthomas18 is a file server. myserver.alexcthomas18 is vulnerable to a directory traversal issue, giving an attacker access to the filesystem by placing "../" in the url.
The forwarded module is used by the Express.js framework to handle the X-Forwarded-For header. It is vulnerable to a regular expression denial of service when it's passed specially crafted input to parse. This causes the event loop to be blocked causing a denial of service condition.
localhost-now node module suffers from a Path Traversal vulnerability due to lack of validation of file, which allows a malicious user to read content of any file with known path.
node-srv node module suffers from a Path Traversal vulnerability due to lack of validation of url, which allows a malicious user to read content of any file with known path.
nodeffmpeg was a malicious module published with the intent to hijack environment variables. It has been unpublished by npm.
assign-deep node module before 0.4.7 suffers from a Modification of Assumed-Immutable Data (MAID) vulnerability, which allows a malicious user to modify the prototype of "Object" via __proto__, causing the addition or modification of an existing property that will exist on all objects.
mfrs is a static file server. mfrs is vulnerable to a directory traversal issue, giving an attacker access to the filesystem by placing "../" in the url.
tencent-server is a simple web server. tencent-server is vulnerable to a directory traversal issue, giving an attacker access to the filesystem by placing "../" in the url.
node-openssl was a malicious module published with the intent to hijack environment variables. It has been unpublished by npm.
fbr-client sends files through sockets via socket.io and webRTC. fbr-client is vulnerable to a directory traversal issue, giving an attacker access to the filesystem by placing "../" in the url.
nodemssql was a malicious module published with the intent to hijack environment variables. It has been unpublished by npm.
reecerver is a web server. reecerver is vulnerable to a directory traversal issue, giving an attacker access to the filesystem by placing "../" in the url.
dcdcdcdcdc is a static file server. dcdcdcdcdc is vulnerable to a directory traversal issue, giving an attacker access to the filesystem by placing "../" in the url.
Based on details posted by the ElectronJS team; A remote code execution vulnerability has been discovered in Google Chromium that affects all recent versions of Electron. Any Electron app that accesses remote content is vulnerable to this exploit, regardless of whether the [sandbox option](https://electron.atom.io/docs/api/sandbox-option) is enabled.
rtcmulticonnection-client is a signaling implementation for RTCMultiConnection.js, a multi-session manager. rtcmulticonnection-client is vulnerable to a directory traversal issue, giving an attacker access to the filesystem by placing "../" in the url.
nodemailer.js was a malicious module published with the intent to hijack environment variables. It has been unpublished by npm.
byucslabsix is an http server. byucslabsix is vulnerable to a directory traversal issue, giving an attacker access to the filesystem by placing "../" in the url.
serverwzl is a simple http server. serverwzl is vulnerable to a directory traversal issue, giving an attacker access to the filesystem by placing "../" in the URL.
mongose was a malicious module published with the intent to hijack environment variables. It has been unpublished by npm.
desafio is a simple web server. desafio is vulnerable to a directory traversal issue, giving an attacker access to the filesystem by placing "../" in the url, but is limited to accessing only .html files.
dylmomo is a simple file server. dylmomo is vulnerable to a directory traversal issue, giving an attacker access to the filesystem by placing "../" in the url.
elding is a simple web server. elding is vulnerable to a directory traversal issue, allowing an attacker to access the filesystem by placing "../" in the url. The files accessible, however, are limited to files with a file extension. Sending a GET request to /../../../etc/passwd, for example, will return a 404 on etc/passwd/index.js.
public node module suffers from a Path Traversal vulnerability due to lack of validation of filePath, which allows a malicious user to read content of any file with known path.
626 node module suffers from a Path Traversal vulnerability due to lack of validation of file, which allows a malicious user to read content of any file with known path.
scott-blanch-weather-app is a sample Node.js app using Express 4. scott-blanch-weather-app is vulnerable to a directory traversal issue, giving an attacker access to the filesystem by placing "../" in the url.