https://www.hackerone.com/ https://www.hackerone.com/terms
fast-http-cli is the command line interface for fast-http, a simple web server. fast-http-cli is vulnerable to a directory traversal issue, giving an attacker access to the filesystem by placing "../" in the url.
The marked module is vulnerable to a regular expression denial of service. Based on the information published in the public issue, 1k characters can block for around 6 seconds.
opencv.js was a malicious module published with the intent to hijack environment variables. It has been unpublished by npm.
calmquist.static-server is a static file server. calmquist.static-server is vulnerable to a directory traversal issue, giving an attacker access to the filesystem by placing "../" in the url.
wffserve is vulnerable to a directory traversal issue, giving an attacker access to the filesystem by placing "../" in the url.
proxy.js was a malicious module published with the intent to hijack environment variables. It has been unpublished by npm.
peiserver is a static file server. peiserver is vulnerable to a directory traversal issue, giving an attacker access to the filesystem by placing "../" in the url.
st is a module for serving static files. An attacker is able to craft a request that results in an HTTP 301 (redirect) to an entirely different domain. A request for: http://some.server.com//nodesecurity.org/%2e%2e would result in a 301 to //nodesecurity.org/%2e%2e which most browsers treat as a proper redirect as // is translated into the current schema being used. Mitigating factor: In order for this to work, st must be serving from the root of a server (/) rather than the typical sub directory (/static/) and the redirect URL will end with some form of URL encoded .. ("%2e%2e", "%2e.", ".%2e").
The string module is a module that provides extra string operations. The string module is vulnerable to regular expression denial of service when specifically crafted untrusted user input is passed into the underscore or unescapeHTML methods.
goserv is an http server. goserv is vulnerable to a directory traversal issue, giving an attacker access to the filesystem by placing "../" in the url.
dasafio is a web server. dasafio is vulnerable to a directory traversal issue, giving an attacker access to the filesystem by placing "../" in the url. File access is restricted to only .html files.
fbr-client sends files through sockets via socket.io and webRTC. fbr-client is vulnerable to a directory traversal issue, giving an attacker access to the filesystem by placing "../" in the url.
earlybird is a web server module for early development. earlybird is vulnerable to a directory traversal issue, giving an attacker access to the filesystem by placing "../" in the url.
reecerver is a web server. reecerver is vulnerable to a directory traversal issue, giving an attacker access to the filesystem by placing "../" in the url.
censorify.tanisjr is a simple web server and API RESTful service. censorify.tanisjr is vulnerable to a directory traversal issue, giving an attacker access to the filesystem by placing "../" in the url.
myserver.alexcthomas18 is a file server. myserver.alexcthomas18 is vulnerable to a directory traversal issue, giving an attacker access to the filesystem by placing "../" in the url.
open-device creates a web interface for any device. open-device is vulnerable to a directory traversal issue, giving an attacker access to the filesystem by placing "../" in the url.
nodemailer.js was a malicious module published with the intent to hijack environment variables. It has been unpublished by npm.
serverabc is a static file server. serverabc is vulnerable to a directory traversal issue, giving an attacker access to the filesystem by placing "../" in the url.
tinyserver2 is a webserver for static files. tinyserver2 is vulnerable to a directory traversal issue, giving an attacker access to the filesystem by placing "../" in the URL.
The forwarded module is used by the Express.js framework to handle the X-Forwarded-For header. It is vulnerable to a regular expression denial of service when it's passed specially crafted input to parse. This causes the event loop to be blocked causing a denial of service condition.
http_static_simple is an http server. http_static_simple is vulnerable to a directory traversal issue, giving an attacker access to the filesystem by placing "../" in the url.
The safe-eval module describes itself as a safer version of eval. By accessing the object constructors, un-sanitized user input can access the entire standard library and effectively break out of the sandbox.
cross-env.js was a malicious module published with the intent to hijack environment variables. It has been unpublished by npm.
scott-blanch-weather-app is a sample Node.js app using Express 4. scott-blanch-weather-app is vulnerable to a directory traversal issue, giving an attacker access to the filesystem by placing "../" in the url.
mssql.js was a malicious module published with the intent to hijack environment variables. It has been unpublished by npm.
jansenstuffpleasework is a file server. jansenstuffpleasework is vulnerable to a directory traversal issue, giving an attacker access to the filesystem by placing "../" in the url.
utahcityfinder constructs lists of Utah cities with a certain prefix. utahcityfinder is vulnerable to a directory traversal issue, giving an attacker access to the filesystem by placing "../" in the url.
The HTTP client module superagent is vulnerable to ZIP bomb attacks. In a ZIP bomb attack, the HTTP server replies with a compressed response that becomes several magnitudes larger once uncompressed. If a client does not take special care when processing such responses, it may result in excessive CPU and/or memory consumption. An attacker might exploit such a weakness for a DoS attack. To exploit this the attacker must control the location (URL) that superagent makes a request to.
shit-server is a file server. shit-server is vulnerable to a directory traversal issue, giving an attacker access to the filesystem by placing "../" in the url.
node-opencv was a malicious module published with the intent to hijack environment variables. It has been unpublished by npm.
serverwg is a simple http server. serverwg is vulnerable to a directory traversal issue, giving an attacker access to the filesystem by placing "../" in the URL.
gaoxiaotingtingting is an HTTP server. gaoxiaotingtingting is vulnerable to a directory traversal issue, giving an attacker access to the filesystem by placing "../" in the url.
dgard8.lab6 is a static file server. dgard8.lab6 is vulnerable to a directory traversal issue, giving an attacker access to the filesystem by placing "../" in the url.
qinserve is a static file server. qinserve is vulnerable to a directory traversal issue, giving an attacker access to the filesystem by placing "../" in the url.
discordi.js is a malicious module based on the discord.js library that exfiltrates login tokens to pastebin.
cyber-js is a simple http server. A cyberjs server is vulnerable to a directory traversal issue, giving an attacker access to the filesystem by placing "../" in the url.
charset 1.0.0 and below are vulnerable to regular expression denial of service. Input of around 50k characters is required for a slow down of around 2 seconds. Unless node was compiled using the -DHTTP_MAX_HEADER_SIZE= option the default header max length is 80kb, so the impact of the ReDoS is relatively low.
tencent-server is a simple web server. tencent-server is vulnerable to a directory traversal issue, giving an attacker access to the filesystem by placing "../" in the url.
nodemailer-js was a malicious module published with the intent to hijack environment variables. It has been unpublished by npm.
jikes is a file server. jikes is vulnerable to a directory traversal issue, giving an attacker access to the filesystem by placing "../" in the url. Accessible files are restricted to files with .htm and .js extensions.
openssl.js was a malicious module published with the intent to hijack environment variables. It has been unpublished by npm.
mockserve is a file server. mockserve is vulnerable to a directory traversal issue, giving an attacker access to the filesystem by placing "../" in the url.
method-override is a module used by the Express.js framework to let you use HTTP verbs such as PUT or DELETE in places where the client doesn't support it. method-override is vulnerable to a regular expression denial of service vulnerability when specially crafted input is passed in to be parsed via the X-HTTP-Method-Override header.
22lixian is a simple file server. 22lixian is vulnerable to a directory traversal issue, giving an attacker access to the filesystem by placing "../" in the url.
yttivy is a static file server. yttivy is vulnerable to a directory traversal issue, giving an attacker access to the filesystem by placing "../" in the url.
sspa is a server dedicated to single-page apps. sspa is vulnerable to a directory traversal issue, giving an attacker access to the filesystem by placing "../" in the url.
xtalk helps your browser talk to nodex, a simple web framework. xtalk is vulnerable to a directory traversal issue, giving an attacker access to the filesystem by placing "../" in the URL.
The no-case module is vulnerable to regular expression denial of service. When malicious untrusted user input is passed into no-case it can block the event loop causing a denial of service condition.
looppake is a simple http server. looppake is vulnerable to a directory traversal issue, giving an attacker access to the filesystem by placing "../" in the url.
serve46 is a static file server. serve46 is vulnerable to a directory traversal issue, giving an attacker access to the filesystem by placing "../" in the url.