ugh, npm.
There are 25 npm security advisories affecting our repositories.
Severity: high
Versions of
markdown-to-jsx
prior to 6.11.4 are vulnerable to Cross-Site Scripting. Due to insufficient input sanitization the package may render output containing malicious JavaScript. This vulnerability can be exploited through input of links containingdata
or VBScript URIs and a base64-encoded payload.
Severity: high
Versions of
cryptiles
prior to 4.1.2 are vulnerable to Insufficient Entropy. TherandomDigits()
method does not provide sufficient entropy and its generates digits that are not evenly distributed.
Severity: high
The Elliptic package before version 6.5.3 for Node.js allows ECDSA signature malleability via variations in encoding, leading '\0' bytes, or integer overflows. This could conceivably have a security-relevant impact if an application relied on a single canonical signature.
Severity: high
serialize-javascript
prior to 3.1.0 allows remote attackers to inject arbitrary code via the function "deleteFunctions" within "index.js".An object such as
{"foo": /1"/, "bar": "a\"@__R-<UID>-0__@"}
was serialized as{"foo": /1"/, "bar": "a\/1"/}
, which allows an attacker to escape the bar key. This requires the attacker to control the values of both foo and bar and guess the value of. The UID has a keyspace of approximately 4 billion making it a realistic network attack. The following proof-of-concept calls console.log() when the running eval():
eval('('+ serialize({"foo": /1" + console.log(1)/i, "bar": '"@__R-<UID>-0__@'}) + ')');
Severity: high
A buffer over-read vulnerability exists in bl <4.0.3, <3.0.1 <2.2.1 and <1.2.3 which could allow an attacker to supply user input (even typed) that if it ends up in consume() argument and can become negative, the BufferList state can be corrupted, tricking it into exposing uninitialized memory via regular .slice() calls.
Severity: high
The package node-forge before 0.10.0 is vulnerable to Prototype Pollution via the util.setPath function. Note: Version 0.10.0 is a breaking change removing the vulnerable functions.
Severity: high
The
axios
NPM package before 0.21.1 contains a Server-Side Request Forgery (SSRF) vulnerability where an attacker is able to bypass a proxy by providing a URL that responds with a redirect to a restricted host or IP address.
Severity: high
Overview
Affected versions of
immer
are vulnerable to Prototype Pollution.Proof of exploit
const {applyPatches, enablePatches} = require("immer"); enablePatches(); let obj = {}; console.log("Before : " + obj.polluted); applyPatches({}, [ { op: 'add', path: [ "__proto__", "polluted" ], value: "yes" } ]); // applyPatches({}, [ { op: 'replace', path: [ "__proto__", "polluted" ], value: "yes" } ]); console.log("After : " + obj.polluted);
Remediation
Version 8.0.1 contains a fix for this vulnerability, updating is recommended.
Severity: high
Affected versions of
diff
are vulnerable to Regular Expression Denial of Service (ReDoS). This can cause an impact of about 10 seconds matching time for data 48K characters long.
Severity: high
Versions of
js-yaml
prior to 3.13.1 are vulnerable to Code Injection. Theload()
function may execute arbitrary code injected through a malicious YAML file. Objects that havetoString
as key, JavaScript code as value and are used as explicit mapping keys allow attackers to execute the supplied code through theload()
function. ThesafeLoad()
function is unaffected.An example payload is
{ toString: !<tag:yaml.org,2002:js/function> 'function (){return Date.now()}' } : 1
which returns the object { "1553107949161": 1 }
Severity: moderate
Versions of
serialize-javascript
prior to 2.1.1 are vulnerable to Cross-Site Scripting (XSS). The package fails to sanitize serialized regular expressions. This vulnerability does not affect Node.js applications.
Severity: moderate
Affected versions of
acorn
are vulnerable to Regular Expression Denial of Service. A regex in the form of/[x-\ud800]/u
causes the parser to enter an infinite loop. The string is not valid UTF16 which usually results in it being sanitized before reaching the parser. If an application processes untrusted input and passes it directly toacorn
, attackers may leverage the vulnerability leading to Denial of Service.
Severity: moderate
Versions of
jquery
prior to 3.5.0 are vulnerable to Cross-Site Scripting. Passing HTML from untrusted sources - even after sanitizing it - to one of jQuery's DOM manipulation methods (i.e. .html(), .append(), and others) may execute arbitrary JavaScript in a victim's browser.
Severity: moderate
Affected versions of
socket.io
are vulnerable to Insecure Defaults due to CORS Misconfiguration. All domains are whitelisted by default.
Severity: moderate
prismjs
versions before 1.23.0 are vulnerable to Regular Expression Denial of Service (ReDoS) via the prism-asciidoc, prism-rest, prism-tap and prism-eiffel components.
Severity: moderate
Affected versions of
static-eval
pass untrusted user input directly to the global function constructor, resulting in an arbitrary code execution vulnerability when user input is parsed via the package.Proof of concept
var evaluate = require('static-eval'); var parse = require('esprima').parse; var src = '(function(){console.log(process.pid)})()'; var ast = parse(src).body[0].expression; var res = evaluate(ast, {}); // Will print the process id
Severity: moderate
Versions of
static-eval
prior to 2.0.2 pass untrusted user input directly to the global function constructor, resulting in an arbitrary code execution vulnerability when user input is parsed via the package.Proof of concept
``` var evaluate = require('static-eval'); var parse = require('esprima').parse;
var src = process.argv[2]; var payload = '(function({x}){return x.constructor})({x:"".sub})("console.log(process.env)")()' var ast = parse(payload).body[0].expression; console.log(evaluate(ast, {x:1})); ```
Severity: moderate
Versions of
js-yaml
prior to 3.13.0 are vulnerable to Denial of Service. By parsing a carefully-crafted YAML file, the node process stalls and may exhaust system resources leading to a Denial of Service.
Severity: moderate
Versions of
jquery
prior to 3.4.0 are vulnerable to Prototype Pollution. The extend() method allows an attacker to modify the prototype forObject
causing changes in properties that will exist on all objects.
Severity: low
Affected versions of
minimist
are vulnerable to prototype pollution. Arguments are not properly sanitized, allowing an attacker to modify the prototype ofObject
, causing the addition or modification of an existing property that will exist on all objects.
Parsing the argument--__proto__.y=Polluted
adds ay
property with valuePolluted
to all objects. The argument--__proto__=Polluted
raises and uncaught error and crashes the application.
This is exploitable if attackers have control over the arguments being passed tominimist
.
Severity: low
Versions of
kind-of
6.x prior to 6.0.3 are vulnerable to a Validation Bypass. A maliciously crafted object can alter the result of the type check, allowing attackers to bypass the type checking validation.
Severity: low
Affected versions of
yargs-parser
are vulnerable to prototype pollution. Arguments are not properly sanitized, allowing an attacker to modify the prototype ofObject
, causing the addition or modification of an existing property that will exist on all objects.
Parsing the argument--foo.__proto__.bar baz'
adds abar
property with valuebaz
to all objects. This is only exploitable if attackers have control over the arguments being passed toyargs-parser
.
Severity: low
Versions of
lodash
prior to 4.17.19 are vulnerable to Prototype Pollution. The functionzipObjectDeep
allows a malicious user to modify the prototype ofObject
if the property identifiers are user-supplied. Being affected by this issue requires zipping objects based on user-provided property arrays.This vulnerability causes the addition or modification of an existing property that will exist on all objects and may lead to Denial of Service or Code Execution under specific circumstances.
Severity: low
Node Fetch did not honor the size option after following a redirect, which means that when a content size was over the limit, a FetchError would never get thrown and the process would end without failure.
For most people, this fix will have a little or no impact. However, if you are relying on node-fetch to gate files above a size, the impact could be significant, for example: If you don't double-check the size of the data after fetch() has completed, your JS thread could get tied up doing work on a large file (DoS) and/or cost you money in computing.
Severity: low
ini
before version 1.3.6 has a Prototype Pollution vulnerability.Impact
If an attacker submits a malicious INI file to an application that parses it with
ini.parse
, they will pollute the prototype on the application. This can be exploited further depending on the context.Patches
This has been patched in 1.3.6
Steps to reproduce
payload.ini
[__proto__] polluted = "polluted"
poc.js: ``` var fs = require('fs') var ini = require('ini')
var parsed = ini.parse(fs.readFileSync('./payload.ini', 'utf-8')) console.log(parsed) console.log(parsed.proto) console.log(polluted) ```
```
node poc.js {} { polluted: 'polluted' } { polluted: 'polluted' } polluted
```