This project forked from owasp/nodegoat
The OWASP NodeGoat project provides an environment to learn how OWASP Top 10 security risks apply to web applications developed using Node.js and how to effectively address them.
Home Page: https://www.owasp.org/index.php/Projects/OWASP_Node_js_Goat_Project
License: Apache License 2.0
![mend-for-github-com[bot] avatar](https://avatars.githubusercontent.com/in/30796?v=4 "mend-for-github-com[bot]")
Vulnerable Library - qs-0.6.6.tgzquerystring parser
Library home page: https://registry.npmjs.org/qs/-/qs-0.6.6.tgz
Path to dependency file: NodeGoat/package.json
Path to vulnerable library: NodeGoat/node_modules/zaproxy/node_modules/qs/package.json
Dependency Hierarchy:
Found in HEAD commit: d4439588ceae22fa05afef2155f4ec9819386fcf
Vulnerability Details
The qs module before 1.0.0 in Node.js does not call the compact function for array data, which allows remote attackers to cause a denial of service (memory consumption) by using a large index value to create a sparse array.
Publish Date: 2014-10-19
URL: CVE-2014-7191
CVSS 3 Score Details (5.5)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: https://nvd.nist.gov/vuln/detail/CVE-2014-7191
Release Date: 2014-10-19
Fix Resolution: 1.0.0
Vulnerable Library - fstream-1.0.10.tgzAdvanced file system stream things
Library home page: https://registry.npmjs.org/fstream/-/fstream-1.0.10.tgz
Path to dependency file: NodeGoat/package.json
Path to vulnerable library: NodeGoat/node_modules/npm/node_modules/fstream/package.json
Dependency Hierarchy:
Found in HEAD commit: d4439588ceae22fa05afef2155f4ec9819386fcf
Vulnerability Details
fstream before 1.0.12 is vulnerable to Arbitrary File Overwrite. Extracting tarballs containing a hardlink to a file that already exists in the system, and a file that matches the hardlink, will overwrite the system's file with the contents of the extracted file. The fstream.DirWriter() function is vulnerable.
Publish Date: 2019-07-02
URL: CVE-2019-13173
CVSS 3 Score Details (7.5)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-13173
Release Date: 2019-07-02
Fix Resolution: 1.0.12
Vulnerable Library - tunnel-agent-0.4.3.tgzHTTP proxy tunneling agent. Formerly part of mikeal/request, now a standalone module.
Library home page: https://registry.npmjs.org/tunnel-agent/-/tunnel-agent-0.4.3.tgz
Path to dependency file: NodeGoat/package.json
Path to vulnerable library: NodeGoat/node_modules/tunnel-agent/package.json,NodeGoat/node_modules/npm/node_modules/request/node_modules/tunnel-agent/package.json
Dependency Hierarchy:
Found in HEAD commit: d4439588ceae22fa05afef2155f4ec9819386fcf
Vulnerability Details
Versions of tunnel-agent before 0.6.0 are vulnerable to memory exposure.
This is exploitable if user supplied input is provided to the auth value and is a number.
Publish Date: 2017-03-05
URL: WS-2018-0076
CVSS 3 Score Details (5.1)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: https://nodesecurity.io/advisories/598
Release Date: 2018-01-27
Fix Resolution: 0.6.0
Vulnerable Library - ms-0.7.1.tgzTiny ms conversion utility
Library home page: https://registry.npmjs.org/ms/-/ms-0.7.1.tgz
Path to dependency file: NodeGoat/package.json
Path to vulnerable library: NodeGoat/node_modules/mocha/node_modules/ms/package.json,NodeGoat/node_modules/nyc/node_modules/ms/package.json,NodeGoat/node_modules/npm/node_modules/node-gyp/node_modules/path-array/node_modules/array-index/node_modules/debug/node_modules/ms/package.json,NodeGoat/node_modules/connect/node_modules/ms/package.json
Dependency Hierarchy:
Found in HEAD commit: d4439588ceae22fa05afef2155f4ec9819386fcf
Vulnerability Details
Affected versions of this package are vulnerable to Regular Expression Denial of Service (ReDoS).
Publish Date: 2017-04-12
URL: WS-2017-0247
CVSS 2 Score Details (3.4)
Base Score Metrics not available
Suggested Fix
Type: Upgrade version
Origin: vercel/ms#89
Release Date: 2017-04-12
Fix Resolution: 2.1.1
Vulnerable Library - bson-1.0.9.tgzA bson parser for node.js and the browser
Library home page: https://registry.npmjs.org/bson/-/bson-1.0.9.tgz
Path to dependency file: NodeGoat/package.json
Path to vulnerable library: NodeGoat/node_modules/bson/package.json
Dependency Hierarchy:
Found in HEAD commit: d4439588ceae22fa05afef2155f4ec9819386fcf
Vulnerability Details
All versions of bson before 1.1.4 are vulnerable to Deserialization of Untrusted Data. The package will ignore an unknown value for an object's _bsotype, leading to cases where an object is serialized as a document rather than the intended BSON type.
Publish Date: 2020-03-30
URL: CVE-2020-7610
CVSS 3 Score Details (9.8)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: https://github.com/mongodb/js-bson/releases/tag/v1.1.4
Release Date: 2020-03-30
Fix Resolution: bson - 1.1.4
Vulnerable Library - handlebars-4.0.5.tgzHandlebars provides the power necessary to let you build semantic templates effectively with no frustration
Library home page: https://registry.npmjs.org/handlebars/-/handlebars-4.0.5.tgz
Path to dependency file: NodeGoat/package.json
Path to vulnerable library: NodeGoat/node_modules/nyc/node_modules/handlebars/package.json
Dependency Hierarchy:
Found in HEAD commit: d4439588ceae22fa05afef2155f4ec9819386fcf
Vulnerability Details
handlebars before 3.0.8 and 4.x before 4.5.3 is vulnerable to Arbitrary Code Execution. The package's lookup helper fails to properly validate templates, allowing attackers to submit templates that execute arbitrary JavaScript in the system.
Publish Date: 2019-11-19
URL: WS-2019-0492
CVSS 3 Score Details (7.5)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: https://www.npmjs.com/advisories/1324
Release Date: 2019-11-19
Fix Resolution: handlebars - 3.0.8,4.5.3
Vulnerable Library - underscore.string-3.3.5.tgzString manipulation extensions for Underscore.js javascript library.
Library home page: https://registry.npmjs.org/underscore.string/-/underscore.string-3.3.5.tgz
Path to dependency file: NodeGoat/package.json
Path to vulnerable library: NodeGoat/node_modules/underscore.string/package.json
Dependency Hierarchy:
Found in HEAD commit: d4439588ceae22fa05afef2155f4ec9819386fcf
Vulnerability Details
Regular Expression Denial of Service (ReDoS) vulnerability was found in underscore.string 2.4.0 through 3.3.5.
Publish Date: 2017-09-08
URL: WS-2017-3772
CVSS 3 Score Details (7.5)
Base Score Metrics:
Vulnerable Library - handlebars-4.0.5.tgzHandlebars provides the power necessary to let you build semantic templates effectively with no frustration
Library home page: https://registry.npmjs.org/handlebars/-/handlebars-4.0.5.tgz
Path to dependency file: NodeGoat/package.json
Path to vulnerable library: NodeGoat/node_modules/nyc/node_modules/handlebars/package.json
Dependency Hierarchy:
Found in HEAD commit: d4439588ceae22fa05afef2155f4ec9819386fcf
Vulnerability Details
Versions of handlebars prior to 4.3.0 are vulnerable to Prototype Pollution leading to Remote Code Execution. Templates may alter an Object's proto and defineGetter properties, which may allow an attacker to execute arbitrary code through crafted payloads.
Publish Date: 2019-12-20
URL: CVE-2019-19919
CVSS 3 Score Details (9.8)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: https://www.npmjs.com/advisories/1164
Release Date: 2019-12-20
Fix Resolution: 4.3.0
Vulnerable Libraries - minimist-1.2.0.tgz, minimist-0.0.8.tgz, minimist-0.0.10.tgz
parse argument options
Library home page: https://registry.npmjs.org/minimist/-/minimist-1.2.0.tgz
Path to dependency file: NodeGoat/package.json
Path to vulnerable library: NodeGoat/node_modules/coveralls/node_modules/minimist/package.json,NodeGoat/node_modules/nyc/node_modules/detect-indent/node_modules/minimist/package.json,NodeGoat/node_modules/cypress/node_modules/minimist/package.json,NodeGoat/node_modules/rc/node_modules/minimist/package.json,NodeGoat/node_modules/meow/node_modules/minimist/package.json
Dependency Hierarchy:
parse argument options
Library home page: https://registry.npmjs.org/minimist/-/minimist-0.0.8.tgz
Path to dependency file: NodeGoat/package.json
Path to vulnerable library: NodeGoat/node_modules/mkdirp/node_modules/minimist/package.json,NodeGoat/node_modules/nyc/node_modules/minimist/package.json,NodeGoat/node_modules/npm/node_modules/mkdirp/node_modules/minimist/package.json
Dependency Hierarchy:
parse argument options
Library home page: https://registry.npmjs.org/minimist/-/minimist-0.0.10.tgz
Path to dependency file: NodeGoat/package.json
Path to vulnerable library: NodeGoat/node_modules/minimist/package.json
Dependency Hierarchy:
Found in HEAD commit: d4439588ceae22fa05afef2155f4ec9819386fcf
Vulnerability Details
minimist before 1.2.2 could be tricked into adding or modifying properties of Object.prototype using a "constructor" or "proto" payload.
Publish Date: 2020-03-11
URL: CVE-2020-7598
CVSS 3 Score Details (5.6)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: https://github.com/substack/minimist/commit/63e7ed05aa4b1889ec2f3b196426db4500cbda94
Release Date: 2020-03-11
Fix Resolution: minimist - 0.2.1,1.2.3
Vulnerable Library - marked-0.3.9.tgzA markdown parser built for speed
Library home page: https://registry.npmjs.org/marked/-/marked-0.3.9.tgz
Path to dependency file: NodeGoat/package.json
Path to vulnerable library: NodeGoat/node_modules/marked/package.json
Dependency Hierarchy:
Found in HEAD commit: d4439588ceae22fa05afef2155f4ec9819386fcf
Vulnerability Details
marked before 0.4.0 is vulnerable to Regular Expression Denial of Service (REDoS) through heading in marked.js.
Publish Date: 2018-04-16
URL: WS-2018-0628
CVSS 3 Score Details (5.3)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: https://github.com/markedjs/marked/releases/tag/0.4.0
Release Date: 2018-04-16
Fix Resolution: marked - 0.4.0
Vulnerable Libraries - tough-cookie-2.3.1.tgz, tough-cookie-2.2.2.tgz
RFC6265 Cookies and Cookie Jar for node.js
Library home page: https://registry.npmjs.org/tough-cookie/-/tough-cookie-2.3.1.tgz
Path to dependency file: NodeGoat/package.json
Path to vulnerable library: NodeGoat/node_modules/npm/node_modules/request/node_modules/tough-cookie/package.json
Dependency Hierarchy:
RFC6265 Cookies and Cookie Jar for node.js
Library home page: https://registry.npmjs.org/tough-cookie/-/tough-cookie-2.2.2.tgz
Path to dependency file: NodeGoat/package.json
Path to vulnerable library: NodeGoat/node_modules/grunt-retire/node_modules/tough-cookie/package.json
Dependency Hierarchy:
Found in HEAD commit: d4439588ceae22fa05afef2155f4ec9819386fcf
Vulnerability Details
A ReDoS (regular expression denial of service) flaw was found in the tough-cookie module before 2.3.3 for Node.js. An attacker that is able to make an HTTP request using a specially crafted cookie may cause the application to consume an excessive amount of CPU.
Publish Date: 2017-10-04
URL: CVE-2017-15010
CVSS 3 Score Details (7.5)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: https://nvd.nist.gov/vuln/detail/CVE-2017-15010
Release Date: 2017-10-04
Fix Resolution: 2.3.3
Vulnerable Libraries - glob-parent-2.0.0.tgz, glob-parent-3.1.0.tgz
Strips glob magic from a string to provide the parent path
Library home page: https://registry.npmjs.org/glob-parent/-/glob-parent-2.0.0.tgz
Path to dependency file: NodeGoat/package.json
Path to vulnerable library: NodeGoat/node_modules/nyc/node_modules/glob-parent/package.json
Dependency Hierarchy:
Strips glob magic from a string to provide the parent directory path
Library home page: https://registry.npmjs.org/glob-parent/-/glob-parent-3.1.0.tgz
Path to dependency file: NodeGoat/package.json
Path to vulnerable library: NodeGoat/node_modules/glob-parent/package.json
Dependency Hierarchy:
Found in HEAD commit: d4439588ceae22fa05afef2155f4ec9819386fcf
Vulnerability Details
Regular Expression Denial of Service (ReDoS) vulnerability was found in glob-parent before 5.1.2.
Publish Date: 2021-01-27
URL: WS-2021-0154
CVSS 3 Score Details (5.3)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: https://github.com/gulpjs/glob-parent/releases/tag/v5.1.2
Release Date: 2021-01-27
Fix Resolution: glob-parent - 5.1.2
Vulnerable Libraries - js-yaml-3.6.1.tgz, js-yaml-3.5.5.tgz
YAML 1.2 parser and serializer
Library home page: https://registry.npmjs.org/js-yaml/-/js-yaml-3.6.1.tgz
Path to dependency file: NodeGoat/package.json
Path to vulnerable library: NodeGoat/node_modules/coveralls/node_modules/js-yaml/package.json
Dependency Hierarchy:
YAML 1.2 parser and serializer
Library home page: https://registry.npmjs.org/js-yaml/-/js-yaml-3.5.5.tgz
Path to dependency file: NodeGoat/package.json
Path to vulnerable library: NodeGoat/node_modules/js-yaml/package.json
Dependency Hierarchy:
Found in HEAD commit: d4439588ceae22fa05afef2155f4ec9819386fcf
Vulnerability Details
Js-yaml prior to 3.13.1 are vulnerable to Code Injection. The load() function may execute arbitrary code injected through a malicious YAML file.
Publish Date: 2019-04-05
URL: WS-2019-0063
CVSS 2 Score Details (8.0)
Base Score Metrics not available
Suggested Fix
Type: Upgrade version
Origin: https://www.npmjs.com/advisories/813
Release Date: 2019-04-05
Fix Resolution: js-yaml - 3.13.1
Vulnerable Library - handlebars-4.0.5.tgzHandlebars provides the power necessary to let you build semantic templates effectively with no frustration
Library home page: https://registry.npmjs.org/handlebars/-/handlebars-4.0.5.tgz
Path to dependency file: NodeGoat/package.json
Path to vulnerable library: NodeGoat/node_modules/nyc/node_modules/handlebars/package.json
Dependency Hierarchy:
Found in HEAD commit: d4439588ceae22fa05afef2155f4ec9819386fcf
Vulnerability Details
Handlebars before 4.4.5 allows Regular Expression Denial of Service (ReDoS) because of eager matching. The parser may be forced into an endless loop while processing crafted templates. This may allow attackers to exhaust system resources.
Publish Date: 2020-09-30
URL: CVE-2019-20922
CVSS 3 Score Details (7.5)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: https://www.npmjs.com/advisories/1300
Release Date: 2020-10-07
Fix Resolution: handlebars - 4.4.5
Vulnerable Library - handlebars-4.0.5.tgzHandlebars provides the power necessary to let you build semantic templates effectively with no frustration
Library home page: https://registry.npmjs.org/handlebars/-/handlebars-4.0.5.tgz
Path to dependency file: NodeGoat/package.json
Path to vulnerable library: NodeGoat/node_modules/nyc/node_modules/handlebars/package.json
Dependency Hierarchy:
Found in HEAD commit: d4439588ceae22fa05afef2155f4ec9819386fcf
Vulnerability Details
Versions of handlebars prior to 4.0.14 are vulnerable to Prototype Pollution. Templates may alter an Objects' prototype, thus allowing an attacker to execute arbitrary code on the server.
Publish Date: 2019-01-30
URL: WS-2019-0064
CVSS 3 Score Details (8.0)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: https://www.npmjs.com/advisories/755/versions
Release Date: 2019-04-30
Fix Resolution: 1.0.6-2,4.0.14,4.1.2
Vulnerable Library - is-my-json-valid-2.15.0.tgzA JSONSchema validator that uses code generation to be extremely fast
Library home page: https://registry.npmjs.org/is-my-json-valid/-/is-my-json-valid-2.15.0.tgz
Path to dependency file: NodeGoat/package.json
Path to vulnerable library: NodeGoat/node_modules/npm/node_modules/request/node_modules/har-validator/node_modules/is-my-json-valid/package.json
Dependency Hierarchy:
Found in HEAD commit: d4439588ceae22fa05afef2155f4ec9819386fcf
Vulnerability Details
It was discovered that the is-my-json-valid JavaScript library used an inefficient regular expression to validate JSON fields defined to have email format. A specially crafted JSON file could cause it to consume an excessive amount of CPU time when validated.
Publish Date: 2021-03-30
URL: CVE-2018-1107
CVSS 3 Score Details (5.3)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: https://bugzilla.redhat.com/show_bug.cgi?id=1546357
Release Date: 2020-07-21
Fix Resolution: 1.4.2,2.17.2
Vulnerable Libraries - is-my-json-valid-2.19.0.tgz, is-my-json-valid-2.15.0.tgz
A JSONSchema validator that uses code generation to be extremely fast
Library home page: https://registry.npmjs.org/is-my-json-valid/-/is-my-json-valid-2.19.0.tgz
Path to dependency file: NodeGoat/package.json
Path to vulnerable library: NodeGoat/node_modules/is-my-json-valid/package.json
Dependency Hierarchy:
A JSONSchema validator that uses code generation to be extremely fast
Library home page: https://registry.npmjs.org/is-my-json-valid/-/is-my-json-valid-2.15.0.tgz
Path to dependency file: NodeGoat/package.json
Path to vulnerable library: NodeGoat/node_modules/npm/node_modules/request/node_modules/har-validator/node_modules/is-my-json-valid/package.json
Dependency Hierarchy:
Found in HEAD commit: d4439588ceae22fa05afef2155f4ec9819386fcf
Vulnerability Details
Arbitrary Code Execution vulnerability was found in is-my-json-valid before 2.20.3 via the fromatName function.
Publish Date: 2020-06-09
URL: WS-2020-0344
CVSS 3 Score Details (9.8)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: mafintosh/is-my-json-valid@c3fc04f
Release Date: 2020-06-09
Fix Resolution: is-my-json-valid - 2.20.3
Vulnerable Library - handlebars-4.0.5.tgzHandlebars provides the power necessary to let you build semantic templates effectively with no frustration
Library home page: https://registry.npmjs.org/handlebars/-/handlebars-4.0.5.tgz
Path to dependency file: NodeGoat/package.json
Path to vulnerable library: NodeGoat/node_modules/nyc/node_modules/handlebars/package.json
Dependency Hierarchy:
Found in HEAD commit: d4439588ceae22fa05afef2155f4ec9819386fcf
Vulnerability Details
Handlebars before 3.0.8 and 4.x before 4.5.3 is vulnerable to Arbitrary Code Execution. The lookup helper fails to properly validate templates, allowing attackers to submit templates that execute arbitrary JavaScript. This can be used to run arbitrary code on a server processing Handlebars templates or in a victim's browser (effectively serving as XSS).
Publish Date: 2020-09-30
URL: CVE-2019-20920
CVSS 3 Score Details (8.1)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: https://www.npmjs.com/advisories/1324
Release Date: 2020-10-15
Fix Resolution: handlebars - 4.5.3
Vulnerable Library - trim-newlines-1.0.0.tgzTrim newlines from the start and/or end of a string
Library home page: https://registry.npmjs.org/trim-newlines/-/trim-newlines-1.0.0.tgz
Path to dependency file: NodeGoat/package.json
Path to vulnerable library: NodeGoat/node_modules/trim-newlines/package.json
Dependency Hierarchy:
Found in HEAD commit: d4439588ceae22fa05afef2155f4ec9819386fcf
Vulnerability Details
The trim-newlines package before 3.0.1 and 4.x before 4.0.1 for Node.js has an issue related to regular expression denial-of-service (ReDoS) for the .end() method.
Publish Date: 2021-05-28
URL: CVE-2021-33623
CVSS 3 Score Details (7.5)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-33623
Release Date: 2021-05-28
Fix Resolution: trim-newlines - 3.0.1, 4.0.1
Vulnerable Library - getobject-0.1.0.tgzget.and.set.deep.objects.easily = true
Library home page: https://registry.npmjs.org/getobject/-/getobject-0.1.0.tgz
Path to dependency file: NodeGoat/package.json
Path to vulnerable library: NodeGoat/node_modules/getobject/package.json
Dependency Hierarchy:
Found in HEAD commit: d4439588ceae22fa05afef2155f4ec9819386fcf
Found in base branch: master
Vulnerability Details
Prototype pollution vulnerability in 'getobject' version 0.1.0 allows an attacker to cause a denial of service and may lead to remote code execution.
Publish Date: 2020-12-29
URL: CVE-2020-28282
CVSS 3 Score Details (9.8)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: https://www.npmjs.com/package/getobject
Release Date: 2020-12-29
Fix Resolution: getobject - 1.0.0
Vulnerable Library - npm-user-validate-0.1.5.tgzUser validations for npm
Library home page: https://registry.npmjs.org/npm-user-validate/-/npm-user-validate-0.1.5.tgz
Path to dependency file: NodeGoat/package.json
Path to vulnerable library: NodeGoat/node_modules/npm/node_modules/npm-user-validate/package.json
Dependency Hierarchy:
Found in HEAD commit: d4439588ceae22fa05afef2155f4ec9819386fcf
Vulnerability Details
The package npm-user-validate prior to version 1.0.1 is vulnerable to REDoS. The regex that validates a user's email took exponentially longer to process input strings that begin with the '@' character.
Publish Date: 2020-10-16
URL: WS-2020-0180
CVSS 3 Score Details (7.5)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: GHSA-xgh6-85xh-479p
Release Date: 2020-10-16
Fix Resolution: 1.0.1
Vulnerable Libraries - set-value-0.4.3.tgz, set-value-2.0.0.tgz
Create nested values and any intermediaries using dot notation (`'a.b.c'`) paths.
Library home page: https://registry.npmjs.org/set-value/-/set-value-0.4.3.tgz
Path to dependency file: NodeGoat/package.json
Path to vulnerable library: NodeGoat/node_modules/union-value/node_modules/set-value/package.json
Dependency Hierarchy:
Create nested values and any intermediaries using dot notation (`'a.b.c'`) paths.
Library home page: https://registry.npmjs.org/set-value/-/set-value-2.0.0.tgz
Path to dependency file: NodeGoat/package.json
Path to vulnerable library: NodeGoat/node_modules/set-value/package.json
Dependency Hierarchy:
Found in HEAD commit: d4439588ceae22fa05afef2155f4ec9819386fcf
Vulnerability Details
set-value is vulnerable to Prototype Pollution in versions lower than 3.0.1. The function mixin-deep could be tricked into adding or modifying properties of Object.prototype using any of the constructor, prototype and proto payloads.
Publish Date: 2019-08-23
URL: CVE-2019-10747
CVSS 3 Score Details (9.8)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: jonschlinkert/set-value@95e9d99
Release Date: 2019-07-24
Fix Resolution: 2.0.1,3.0.1
Vulnerable Library - npm-user-validate-0.1.5.tgzUser validations for npm
Library home page: https://registry.npmjs.org/npm-user-validate/-/npm-user-validate-0.1.5.tgz
Path to dependency file: NodeGoat/package.json
Path to vulnerable library: NodeGoat/node_modules/npm/node_modules/npm-user-validate/package.json
Dependency Hierarchy:
Found in HEAD commit: d4439588ceae22fa05afef2155f4ec9819386fcf
Vulnerability Details
This affects the package npm-user-validate before 1.0.1. The regex that validates user emails took exponentially longer to process long input strings beginning with @ characters.
Publish Date: 2020-10-27
URL: CVE-2020-7754
CVSS 3 Score Details (7.5)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-7754
Release Date: 2020-07-21
Fix Resolution: 1.0.1
Vulnerable Library - adm-zip-0.4.4.tgzA Javascript implementation of zip for nodejs. Allows user to create or extract zip files both in memory or to/from disk
Library home page: https://registry.npmjs.org/adm-zip/-/adm-zip-0.4.4.tgz
Path to dependency file: NodeGoat/package.json
Path to vulnerable library: NodeGoat/node_modules/adm-zip/package.json
Dependency Hierarchy:
Found in HEAD commit: d4439588ceae22fa05afef2155f4ec9819386fcf
Vulnerability Details
adm-zip versions before 0.4.9 are vulnerable to Arbitrary File Write due to extraction of a specifically crafted archive that contains path traversal filenames
Publish Date: 2018-04-22
URL: WS-2019-0231
CVSS 2 Score Details (5.0)
Base Score Metrics not available
Suggested Fix
Type: Upgrade version
Origin: https://www.npmjs.com/advisories/994
Release Date: 2019-09-09
Fix Resolution: 0.4.9
Vulnerable Library - kind-of-6.0.2.tgzGet the native type of a value.
Library home page: https://registry.npmjs.org/kind-of/-/kind-of-6.0.2.tgz
Path to dependency file: NodeGoat/package.json
Path to vulnerable library: NodeGoat/node_modules/extglob/node_modules/kind-of/package.json,NodeGoat/node_modules/make-iterator/node_modules/kind-of/package.json,NodeGoat/node_modules/define-property/node_modules/kind-of/package.json,NodeGoat/node_modules/nanomatch/node_modules/kind-of/package.json,NodeGoat/node_modules/base/node_modules/kind-of/package.json,NodeGoat/node_modules/micromatch/node_modules/kind-of/package.json,NodeGoat/node_modules/snapdragon-node/node_modules/kind-of/package.json,NodeGoat/node_modules/liftoff/node_modules/kind-of/package.json
Dependency Hierarchy:
Found in HEAD commit: d4439588ceae22fa05afef2155f4ec9819386fcf
Vulnerability Details
ctorName in index.js in kind-of v6.0.2 allows external user input to overwrite certain internal attributes via a conflicting name, as demonstrated by 'constructor': {'name':'Symbol'}. Hence, a crafted payload can overwrite this builtin attribute to manipulate the type detection result.
Publish Date: 2019-12-30
URL: CVE-2019-20149
CVSS 3 Score Details (7.5)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-20149
Release Date: 2019-12-30
Fix Resolution: 6.0.3
Vulnerable Library - stringstream-0.0.5.tgzEncode and decode streams into string streams
Library home page: https://registry.npmjs.org/stringstream/-/stringstream-0.0.5.tgz
Path to dependency file: NodeGoat/package.json
Path to vulnerable library: NodeGoat/node_modules/npm/node_modules/request/node_modules/stringstream/package.json
Dependency Hierarchy:
Found in HEAD commit: d4439588ceae22fa05afef2155f4ec9819386fcf
Vulnerability Details
Versions less than 0.0.6 of the Node.js stringstream module are vulnerable to an out-of-bounds read because of allocation of uninitialized buffers when a number is passed in the input stream (when using Node.js 4.x).
Publish Date: 2020-12-03
URL: CVE-2018-21270
CVSS 3 Score Details (6.5)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-21270
Release Date: 2020-12-03
Fix Resolution: 0.0.6
Vulnerable Libraries - glob-parent-2.0.0.tgz, glob-parent-3.1.0.tgz
Strips glob magic from a string to provide the parent path
Library home page: https://registry.npmjs.org/glob-parent/-/glob-parent-2.0.0.tgz
Path to dependency file: NodeGoat/package.json
Path to vulnerable library: NodeGoat/node_modules/nyc/node_modules/glob-parent/package.json
Dependency Hierarchy:
Strips glob magic from a string to provide the parent directory path
Library home page: https://registry.npmjs.org/glob-parent/-/glob-parent-3.1.0.tgz
Path to dependency file: NodeGoat/package.json
Path to vulnerable library: NodeGoat/node_modules/glob-parent/package.json
Dependency Hierarchy:
Found in HEAD commit: d4439588ceae22fa05afef2155f4ec9819386fcf
Vulnerability Details
This affects the package glob-parent before 5.1.2. The enclosure regex used to check for strings ending in enclosure containing path separator.
Publish Date: 2021-06-03
URL: CVE-2020-28469
CVSS 3 Score Details (7.5)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-28469
Release Date: 2021-06-03
Fix Resolution: glob-parent - 5.1.2
Vulnerable Library - handlebars-4.0.5.tgzHandlebars provides the power necessary to let you build semantic templates effectively with no frustration
Library home page: https://registry.npmjs.org/handlebars/-/handlebars-4.0.5.tgz
Path to dependency file: NodeGoat/package.json
Path to vulnerable library: NodeGoat/node_modules/nyc/node_modules/handlebars/package.json
Dependency Hierarchy:
Found in HEAD commit: d4439588ceae22fa05afef2155f4ec9819386fcf
Vulnerability Details
The package handlebars before 4.7.7 are vulnerable to Remote Code Execution (RCE) when selecting certain compiling options to compile templates coming from an untrusted source.
Publish Date: 2021-04-12
URL: CVE-2021-23369
CVSS 3 Score Details (9.8)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-23369
Release Date: 2021-04-12
Fix Resolution: handlebars - 4.7.7
Vulnerable Library - handlebars-4.0.5.tgzHandlebars provides the power necessary to let you build semantic templates effectively with no frustration
Library home page: https://registry.npmjs.org/handlebars/-/handlebars-4.0.5.tgz
Path to dependency file: NodeGoat/package.json
Path to vulnerable library: NodeGoat/node_modules/nyc/node_modules/handlebars/package.json
Dependency Hierarchy:
Found in HEAD commit: d4439588ceae22fa05afef2155f4ec9819386fcf
Vulnerability Details
Handlebars.js before 4.1.0 has Remote Code Execution (RCE)
Publish Date: 2019-01-30
URL: WS-2019-0103
CVSS 2 Score Details (5.5)
Base Score Metrics not available
Suggested Fix
Type: Upgrade version
Origin: handlebars-lang/handlebars.js@edc6220
Release Date: 2019-05-30
Fix Resolution: 4.1.0
Vulnerable Library - sshpk-1.10.1.tgzA library for finding and using SSH public keys
Library home page: https://registry.npmjs.org/sshpk/-/sshpk-1.10.1.tgz
Path to dependency file: NodeGoat/package.json
Path to vulnerable library: NodeGoat/node_modules/npm/node_modules/request/node_modules/http-signature/node_modules/sshpk/package.json
Dependency Hierarchy:
Found in HEAD commit: d4439588ceae22fa05afef2155f4ec9819386fcf
Vulnerability Details
Versions of sshpk before 1.14.1 are vulnerable to regular expression denial of service when parsing crafted invalid public keys.
Publish Date: 2018-04-25
URL: WS-2018-0084
CVSS 2 Score Details (8.0)
Base Score Metrics not available
Suggested Fix
Type: Upgrade version
Origin: https://nodesecurity.io/advisories/606
Release Date: 2018-01-27
Fix Resolution: 1.14.1
Vulnerable Library - handlebars-4.0.5.tgzHandlebars provides the power necessary to let you build semantic templates effectively with no frustration
Library home page: https://registry.npmjs.org/handlebars/-/handlebars-4.0.5.tgz
Path to dependency file: NodeGoat/package.json
Path to vulnerable library: NodeGoat/node_modules/nyc/node_modules/handlebars/package.json
Dependency Hierarchy:
Found in HEAD commit: d4439588ceae22fa05afef2155f4ec9819386fcf
Vulnerability Details
handlebars before 3.0.8 and 4.x before 4.5.2 is vulnerable to Arbitrary Code Execution. The package's lookup helper fails to properly validate templates, allowing attackers to submit templates that execute arbitrary JavaScript in the system.
Publish Date: 2019-11-14
URL: WS-2019-0493
CVSS 3 Score Details (7.5)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: https://www.npmjs.com/advisories/1316
Release Date: 2019-11-14
Fix Resolution: handlebars - 3.0.8,4.5.2
Vulnerable Library - marked-0.3.9.tgzA markdown parser built for speed
Library home page: https://registry.npmjs.org/marked/-/marked-0.3.9.tgz
Path to dependency file: NodeGoat/package.json
Path to vulnerable library: NodeGoat/node_modules/marked/package.json
Dependency Hierarchy:
Found in HEAD commit: d4439588ceae22fa05afef2155f4ec9819386fcf
Vulnerability Details
marked before 1.1.1 is vulnerable to Regular Expression Denial of Service (REDoS). rules.js have multiple unused capture groups which can lead to a Denial of Service.
Publish Date: 2020-07-02
URL: WS-2020-0163
CVSS 3 Score Details (5.9)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: https://github.com/markedjs/marked/releases/tag/v1.1.1
Release Date: 2020-07-02
Fix Resolution: marked - 1.1.1
Vulnerable Libraries - lodash-4.13.1.tgz, lodash-4.17.11.tgz, lodash-2.4.2.tgz
Lodash modular utilities.
Library home page: https://registry.npmjs.org/lodash/-/lodash-4.13.1.tgz
Path to dependency file: NodeGoat/package.json
Path to vulnerable library: NodeGoat/node_modules/nyc/node_modules/lodash/package.json
Dependency Hierarchy:
Lodash modular utilities.
Library home page: https://registry.npmjs.org/lodash/-/lodash-4.17.11.tgz
Path to dependency file: NodeGoat/package.json
Path to vulnerable library: NodeGoat/node_modules/lodash/package.json
Dependency Hierarchy:
A utility library delivering consistency, customization, performance, & extras.
Library home page: https://registry.npmjs.org/lodash/-/lodash-2.4.2.tgz
Path to dependency file: NodeGoat/package.json
Path to vulnerable library: NodeGoat/node_modules/zaproxy/node_modules/lodash/package.json
Dependency Hierarchy:
Found in HEAD commit: d4439588ceae22fa05afef2155f4ec9819386fcf
Vulnerability Details
Versions of lodash lower than 4.17.12 are vulnerable to Prototype Pollution. The function defaultsDeep could be tricked into adding or modifying properties of Object.prototype using a constructor payload.
Publish Date: 2019-07-26
URL: CVE-2019-10744
CVSS 3 Score Details (9.1)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: GHSA-jf85-cpcp-j695
Release Date: 2019-07-08
Fix Resolution: lodash-4.17.12, lodash-amd-4.17.12, lodash-es-4.17.12, lodash.defaultsdeep-4.6.1, lodash.merge- 4.6.2, lodash.mergewith-4.6.2, lodash.template-4.5.0
Vulnerable Libraries - utile-0.2.1.tgz, utile-0.3.0.tgz
A drop-in replacement for `util` with some additional advantageous functions
Library home page: https://registry.npmjs.org/utile/-/utile-0.2.1.tgz
Path to dependency file: NodeGoat/package.json
Path to vulnerable library: NodeGoat/node_modules/prompt/node_modules/utile/package.json,NodeGoat/node_modules/broadway/node_modules/utile/package.json
Dependency Hierarchy:
A drop-in replacement for `util` with some additional advantageous functions
Library home page: https://registry.npmjs.org/utile/-/utile-0.3.0.tgz
Path to dependency file: NodeGoat/package.json
Path to vulnerable library: NodeGoat/node_modules/utile/package.json
Dependency Hierarchy:
Found in HEAD commit: d4439588ceae22fa05afef2155f4ec9819386fcf
Vulnerability Details
The utile npm module, version 0.3.0, allows to extract sensitive data from uninitialized memory or to cause a DoS by passing in a large number, in setups where typed user input can be passed (e.g. from JSON).
Publish Date: 2018-07-16
URL: WS-2018-0148
CVSS 3 Score Details (7.5)
Base Score Metrics:
Vulnerable Library - adm-zip-0.4.4.tgzA Javascript implementation of zip for nodejs. Allows user to create or extract zip files both in memory or to/from disk
Library home page: https://registry.npmjs.org/adm-zip/-/adm-zip-0.4.4.tgz
Path to dependency file: NodeGoat/package.json
Path to vulnerable library: NodeGoat/node_modules/adm-zip/package.json
Dependency Hierarchy:
Found in HEAD commit: d4439588ceae22fa05afef2155f4ec9819386fcf
Vulnerability Details
adm-zip npm library before 0.4.9 is vulnerable to directory traversal, allowing attackers to write to arbitrary files via a ../ (dot dot slash) in a Zip archive entry that is mishandled during extraction. This vulnerability is also known as 'Zip-Slip'.
Publish Date: 2018-07-25
URL: CVE-2018-1002204
CVSS 3 Score Details (5.5)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: https://nvd.nist.gov/vuln/detail/CVE-2018-1002204
Release Date: 2018-07-25
Fix Resolution: 0.4.9
Vulnerable Library - handlebars-4.0.5.tgzHandlebars provides the power necessary to let you build semantic templates effectively with no frustration
Library home page: https://registry.npmjs.org/handlebars/-/handlebars-4.0.5.tgz
Path to dependency file: NodeGoat/package.json
Path to vulnerable library: NodeGoat/node_modules/nyc/node_modules/handlebars/package.json
Dependency Hierarchy:
Found in HEAD commit: d4439588ceae22fa05afef2155f4ec9819386fcf
Vulnerability Details
The package handlebars before 4.7.7 are vulnerable to Prototype Pollution when selecting certain compiling options to compile templates coming from an untrusted source.
Publish Date: 2021-05-04
URL: CVE-2021-23383
CVSS 3 Score Details (9.8)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-23383
Release Date: 2021-05-04
Fix Resolution: handlebars - v4.7.7
Vulnerable Library - debug-2.2.0.tgzsmall debugging utility
Library home page: https://registry.npmjs.org/debug/-/debug-2.2.0.tgz
Path to dependency file: NodeGoat/package.json
Path to vulnerable library: NodeGoat/node_modules/npm/node_modules/node-gyp/node_modules/path-array/node_modules/array-index/node_modules/debug/package.json,NodeGoat/node_modules/nyc/node_modules/debug/package.json,NodeGoat/node_modules/connect/node_modules/debug/package.json,NodeGoat/node_modules/mocha/node_modules/debug/package.json
Dependency Hierarchy:
Found in HEAD commit: d4439588ceae22fa05afef2155f4ec9819386fcf
Vulnerability Details
The debug module is vulnerable to regular expression denial of service when untrusted user input is passed into the o formatter. It takes around 50k characters to block for 2 seconds making this a low severity issue.
Publish Date: 2018-06-07
URL: CVE-2017-16137
CVSS 3 Score Details (5.3)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: https://nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-16137
Release Date: 2018-06-07
Fix Resolution: 2.6.9
Vulnerable Library - mixin-deep-1.3.1.tgzDeeply mix the properties of objects into the first object. Like merge-deep, but doesn't clone.
Library home page: https://registry.npmjs.org/mixin-deep/-/mixin-deep-1.3.1.tgz
Path to dependency file: NodeGoat/package.json
Path to vulnerable library: NodeGoat/node_modules/mixin-deep/package.json
Dependency Hierarchy:
Found in HEAD commit: d4439588ceae22fa05afef2155f4ec9819386fcf
Vulnerability Details
mixin-deep is vulnerable to Prototype Pollution in versions before 1.3.2 and version 2.0.0. The function mixin-deep could be tricked into adding or modifying properties of Object.prototype using a constructor payload.
Publish Date: 2019-08-23
URL: CVE-2019-10746
CVSS 3 Score Details (9.8)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: jonschlinkert/mixin-deep@8f464c8
Release Date: 2019-07-11
Fix Resolution: 1.3.2,2.0.1
Vulnerable Libraries - lodash-4.13.1.tgz, lodash-4.17.11.tgz
Lodash modular utilities.
Library home page: https://registry.npmjs.org/lodash/-/lodash-4.13.1.tgz
Path to dependency file: NodeGoat/package.json
Path to vulnerable library: NodeGoat/node_modules/nyc/node_modules/lodash/package.json
Dependency Hierarchy:
Lodash modular utilities.
Library home page: https://registry.npmjs.org/lodash/-/lodash-4.17.11.tgz
Path to dependency file: NodeGoat/package.json
Path to vulnerable library: NodeGoat/node_modules/lodash/package.json
Dependency Hierarchy:
Found in HEAD commit: d4439588ceae22fa05afef2155f4ec9819386fcf
Vulnerability Details
Lodash versions prior to 4.17.21 are vulnerable to Regular Expression Denial of Service (ReDoS) via the toNumber, trim and trimEnd functions.
Publish Date: 2021-02-15
URL: CVE-2020-28500
CVSS 3 Score Details (5.3)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-28500
Release Date: 2021-02-15
Fix Resolution: lodash-4.17.21
Vulnerable Libraries - is-my-json-valid-2.15.0.tgz, is-my-json-valid-2.19.0.tgz
A JSONSchema validator that uses code generation to be extremely fast
Library home page: https://registry.npmjs.org/is-my-json-valid/-/is-my-json-valid-2.15.0.tgz
Path to dependency file: NodeGoat/package.json
Path to vulnerable library: NodeGoat/node_modules/npm/node_modules/request/node_modules/har-validator/node_modules/is-my-json-valid/package.json
Dependency Hierarchy:
A JSONSchema validator that uses code generation to be extremely fast
Library home page: https://registry.npmjs.org/is-my-json-valid/-/is-my-json-valid-2.19.0.tgz
Path to dependency file: NodeGoat/package.json
Path to vulnerable library: NodeGoat/node_modules/is-my-json-valid/package.json
Dependency Hierarchy:
Found in HEAD commit: d4439588ceae22fa05afef2155f4ec9819386fcf
Vulnerability Details
Regular Expression Denial of Service (ReDoS) vulnerability was found in is-my-json-valid before 2.20.2 via the style format.
Publish Date: 2020-06-27
URL: WS-2020-0342
CVSS 3 Score Details (5.3)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: mafintosh/is-my-json-valid@c3fc04f
Release Date: 2020-06-27
Fix Resolution: is-my-json-valid - 2.20.2
Vulnerable Library - diff-1.4.0.tgzA javascript text diff implementation.
Library home page: https://registry.npmjs.org/diff/-/diff-1.4.0.tgz
Path to dependency file: NodeGoat/package.json
Path to vulnerable library: NodeGoat/node_modules/diff/package.json
Dependency Hierarchy:
Found in HEAD commit: d4439588ceae22fa05afef2155f4ec9819386fcf
Vulnerability Details
A vulnerability was found in diff before v3.5.0, the affected versions of this package are vulnerable to Regular Expression Denial of Service (ReDoS) attacks.
Publish Date: 2018-03-05
URL: WS-2018-0590
CVSS 2 Score Details (7.0)
Base Score Metrics not available
Suggested Fix
Type: Upgrade version
Origin: kpdecker/jsdiff@2aec429
Release Date: 2019-06-11
Fix Resolution: 3.5.0
Vulnerable Libraries - lodash-4.13.1.tgz, lodash-2.4.2.tgz, lodash-4.17.11.tgz
Lodash modular utilities.
Library home page: https://registry.npmjs.org/lodash/-/lodash-4.13.1.tgz
Path to dependency file: NodeGoat/package.json
Path to vulnerable library: NodeGoat/node_modules/nyc/node_modules/lodash/package.json
Dependency Hierarchy:
A utility library delivering consistency, customization, performance, & extras.
Library home page: https://registry.npmjs.org/lodash/-/lodash-2.4.2.tgz
Path to dependency file: NodeGoat/package.json
Path to vulnerable library: NodeGoat/node_modules/zaproxy/node_modules/lodash/package.json
Dependency Hierarchy:
Lodash modular utilities.
Library home page: https://registry.npmjs.org/lodash/-/lodash-4.17.11.tgz
Path to dependency file: NodeGoat/package.json
Path to vulnerable library: NodeGoat/node_modules/lodash/package.json
Dependency Hierarchy:
Found in HEAD commit: d4439588ceae22fa05afef2155f4ec9819386fcf
Vulnerability Details
Prototype pollution attack when using _.zipObjectDeep in lodash before 4.17.20.
Publish Date: 2020-07-15
URL: CVE-2020-8203
CVSS 3 Score Details (7.4)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: https://www.npmjs.com/advisories/1523
Release Date: 2020-10-21
Fix Resolution: lodash - 4.17.19
Vulnerable Library - tough-cookie-2.2.2.tgzRFC6265 Cookies and Cookie Jar for node.js
Library home page: https://registry.npmjs.org/tough-cookie/-/tough-cookie-2.2.2.tgz
Path to dependency file: NodeGoat/package.json
Path to vulnerable library: NodeGoat/node_modules/grunt-retire/node_modules/tough-cookie/package.json
Dependency Hierarchy:
Found in HEAD commit: d4439588ceae22fa05afef2155f4ec9819386fcf
Vulnerability Details
NodeJS Tough-Cookie version 2.2.2 contains a Regular Expression Parsing vulnerability in HTTP request Cookie Header parsing that can result in Denial of Service. This attack appear to be exploitable via Custom HTTP header passed by client. This vulnerability appears to have been fixed in 2.3.0.
Publish Date: 2018-09-05
URL: CVE-2016-1000232
CVSS 3 Score Details (5.3)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: https://www.npmjs.com/advisories/130
Release Date: 2018-09-05
Fix Resolution: 2.3.0
Vulnerable Libraries - jsonpointer-4.0.0.tgz, jsonpointer-4.0.1.tgz
Simple JSON Addressing.
Library home page: https://registry.npmjs.org/jsonpointer/-/jsonpointer-4.0.0.tgz
Path to dependency file: NodeGoat/package.json
Path to vulnerable library: NodeGoat/node_modules/npm/node_modules/request/node_modules/har-validator/node_modules/is-my-json-valid/node_modules/jsonpointer/package.json
Dependency Hierarchy:
Simple JSON Addressing.
Library home page: https://registry.npmjs.org/jsonpointer/-/jsonpointer-4.0.1.tgz
Path to dependency file: NodeGoat/package.json
Path to vulnerable library: NodeGoat/node_modules/jsonpointer/package.json
Dependency Hierarchy:
Found in HEAD commit: d4439588ceae22fa05afef2155f4ec9819386fcf
Vulnerability Details
Prototype Pollution vulnerability was found in jsonpointer before 4.1.0 via the set function.
Publish Date: 2020-07-03
URL: WS-2020-0345
CVSS 3 Score Details (8.2)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: https://github.com/janl/node-jsonpointer/releases/tag/v4.1.0
Release Date: 2020-07-03
Fix Resolution: jsonpointer - 4.1.0
Vulnerable Library - qs-0.6.6.tgzquerystring parser
Library home page: https://registry.npmjs.org/qs/-/qs-0.6.6.tgz
Path to dependency file: NodeGoat/package.json
Path to vulnerable library: NodeGoat/node_modules/zaproxy/node_modules/qs/package.json
Dependency Hierarchy:
Found in HEAD commit: d4439588ceae22fa05afef2155f4ec9819386fcf
Vulnerability Details
The qs module before 1.0.0 does not have an option or default for specifying object depth and when parsing a string representing a deeply nested object will block the event loop for long periods of time. An attacker could leverage this to cause a temporary denial-of-service condition, for example, in a web application, other requests would not be processed while this blocking is occurring.
Publish Date: 2018-05-31
URL: CVE-2014-10064
CVSS 3 Score Details (7.5)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: https://nodesecurity.io/advisories/28
Release Date: 2014-08-06
Fix Resolution: Update to version 1.0.0 or later
Vulnerable Library - mime-1.2.11.tgzA comprehensive library for mime-type mapping
Library home page: https://registry.npmjs.org/mime/-/mime-1.2.11.tgz
Path to dependency file: NodeGoat/package.json
Path to vulnerable library: NodeGoat/node_modules/zaproxy/node_modules/mime/package.json
Dependency Hierarchy:
Found in HEAD commit: d4439588ceae22fa05afef2155f4ec9819386fcf
Vulnerability Details
The mime module < 1.4.1, 2.0.1, 2.0.2 is vulnerable to regular expression denial of service when a mime lookup is performed on untrusted user input.
Publish Date: 2018-06-07
URL: CVE-2017-16138
CVSS 3 Score Details (7.5)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-16138
Release Date: 2018-06-07
Fix Resolution: 1.4.1,2.0.3
Vulnerable Library - minimatch-0.3.0.tgza glob matcher in javascript
Library home page: https://registry.npmjs.org/minimatch/-/minimatch-0.3.0.tgz
Path to dependency file: NodeGoat/package.json
Path to vulnerable library: NodeGoat/node_modules/mocha/node_modules/minimatch/package.json
Dependency Hierarchy:
Found in HEAD commit: d4439588ceae22fa05afef2155f4ec9819386fcf
Vulnerability Details
Minimatch is a minimal matching utility that works by converting glob expressions into JavaScript RegExp objects. The primary function, minimatch(path, pattern) in Minimatch 3.0.1 and earlier is vulnerable to ReDoS in the pattern parameter.
Publish Date: 2018-05-31
URL: CVE-2016-10540
CVSS 3 Score Details (7.5)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: https://nodesecurity.io/advisories/118
Release Date: 2016-06-20
Fix Resolution: Update to version 3.0.2 or later.
Vulnerable Library - tar-2.2.1.tgztar for node
Library home page: https://registry.npmjs.org/tar/-/tar-2.2.1.tgz
Path to dependency file: NodeGoat/package.json
Path to vulnerable library: NodeGoat/node_modules/npm/node_modules/tar/package.json
Dependency Hierarchy:
Found in HEAD commit: d4439588ceae22fa05afef2155f4ec9819386fcf
Vulnerability Details
A vulnerability was found in node-tar before version 4.4.2 (excluding version 2.2.2). An Arbitrary File Overwrite issue exists when extracting a tarball containing a hardlink to a file that already exists on the system, in conjunction with a later plain file with the same name as the hardlink. This plain file content replaces the existing file content. A patch has been applied to node-tar v2.2.2).
Publish Date: 2019-04-30
URL: CVE-2018-20834
CVSS 3 Score Details (7.5)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-20834
Release Date: 2019-04-30
Fix Resolution: tar - 2.2.2,4.4.2
Vulnerable Library - npm-3.10.10.tgza package manager for JavaScript
Library home page: https://registry.npmjs.org/npm/-/npm-3.10.10.tgz
Path to dependency file: NodeGoat/package.json
Path to vulnerable library: NodeGoat/node_modules/npm/package.json
Dependency Hierarchy:
Found in HEAD commit: d4439588ceae22fa05afef2155f4ec9819386fcf
Vulnerability Details
Versions of the npm CLI prior to 6.14.6 are vulnerable to an information exposure vulnerability through log files. The CLI supports URLs like "://[[:]@][:][:][/]". The password value is not redacted and is printed to stdout and also to any generated log files.
Publish Date: 2020-07-07
URL: CVE-2020-15095
CVSS 3 Score Details (4.4)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: GHSA-93f3-23rq-pjfp
Release Date: 2020-07-07
Fix Resolution: npm - 6.14.6
Vulnerable Library - http-signature-0.10.1.tgzReference implementation of Joyent's HTTP Signature scheme.
Library home page: https://registry.npmjs.org/http-signature/-/http-signature-0.10.1.tgz
Path to dependency file: NodeGoat/package.json
Path to vulnerable library: NodeGoat/node_modules/zaproxy/node_modules/http-signature/package.json
Dependency Hierarchy:
Found in HEAD commit: d4439588ceae22fa05afef2155f4ec9819386fcf
Vulnerability Details
Affected versions (before 1.0.0) of the http-signature package are vulnerable to Timing Attacks.
Publish Date: 2015-01-22
URL: WS-2017-0266
CVSS 3 Score Details (3.5)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: TritonDataCenter/node-http-signature#36
Release Date: 2017-01-31
Fix Resolution: 1.0.0
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
Django
The Web framework for perfectionists with deadlines.
Laravel
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
Microsoft
Open source projects and samples from Microsoft.
Google
Google ❤️ Open Source for everyone.
Alibaba
Alibaba Open Source for everyone
D3
Data-Driven Documents codes.
Tencent
China tencent open source team.
